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ABSTRACT 


The investigatory findings of the Space Shuttle Challenger and Columbia 
accident investigation boards are analyzed and evaluated relative to one another, with the 
goal of determining if there are lessons applicable to organizations that manage 
technically complex programs. An analysis is conducted of the recommendations from 
the Challenger investigation and NASA’s actions taken to correct problems in the 
organization. The effectiveness of both the recommendations and NASA’s response in 
terms of preventing the Columbia accident are examined. In the intervening years 
between the Challenger and Columbia, several unofficial analyses of the Challenger 
accident and investigation have been published. The findings of these independent works 
are presented in order to determine any relationship to the Columbia accident and the 
subsequent Columbia investigation. The investigation of the Columbia accident and 
Challenger accident are compared to determine if any of the investigatory findings 
indicate that there were common factors in the accidents. An evaluation of the NASA 
organizational structure and culture is conducted. The impact of the culture on 
implementing the changes recommended after Challenger and relationship to the 
Columbia accident and investigation is examined. These analyses and examinations 
result in several conclusions and recommendations applicable to organizations that 
manage technically complex programs. 
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I. 


INTRODUCTION 


A. PURPOSE 

The purpose of this research paper is to investigate, analyze, and evaluate the 
investigatory findings of the Space Shuttle Columbia and Challenger accidents. The 
focus of the research is an analysis of the recommendations from the Challenger 
investigation, and the National Aeronautics and Space Administration’s (NASA’s) 
actions taken in response to the recommendations to determine the effectiveness of both 
the recommendations and NASA’s response in terms of preventing the Columbia 
disaster. This study compares the Challenger and Columbia investigatory findings to 
determine if any recommendations indicate there were common factors in the accidents. 

This paper does not seek to find common technical basis for the accidents, but 
rather common organizational and cultural factors in the accidents. Further, 
recommendations that are unique to the Columbia investigation are analyzed with respect 
to their relevance to the Challenger accident and whether identification at the time of the 
Challenger accident may have had a positive impact on preventing the Columbia 
accident. Finally, this piece provides generalized observations and recommendations, 
distilled from NASA’s experiences, to other activities that similarly pursue large-scale, 
technically complex, risky-laden, taxpayer-funded projects within the confines and 
culture of an outsized, widely dispersed, strictly hierarchical bureaucracy. 

B. BACKGROUND 

Within the course of one generation, the National Aeronautics and Space 
Administration (NASA) has witnessed two disastrous accidents that have claimed the 
lives of fourteen of this nation’s best and brightest individuals and have shaken the 
confidence of the nation in continued manned exploration of space. On 28 January 1986, 
the Space Shuttle Challenger (mission 51-L) exploded seventy-three seconds after 
takeoff due to a failure of an O-ring seal on one of the two Solid Rocket Boosters (SRBs). 


1 



Detailed investigation ensued encompassing a Presidential Commission 1 , Congressional 
investigations and hearings 23 , internal NASA investigations, and numerous reports from 
governmental scientific organizations such at the National Research Council 4 . The 
magnitude of these investigations combined with the re-ordering of NASA’s processes 
and procedures, and safety program revitalization in response to the recommendation of 
these investigations, lead to the expectation of elimination or reduced possibility of future 
shuttle accidents. However, on 1 February 2003, Space Shuttle Columbia mission Space 
Transport System (STS)-107 broke apart on reentry due to an incident that occurred 81.7 
seconds after launch, seventeen days earlier. Once again, Commissions were appointed, 
hearings held, findings issued, and plans for correction were issued. 5 

C. RESEARCH QUESTIONS 

It is not the intent of this research to analyze the technical, scientific, or 
engineering findings of the investigations, for it is obvious that the specific failure that 
ultimately brought down each shuttle was quite different in nature and root cause. Rather 
the purpose in analyzing the investigatory findings is to answer the following questions. 

1. What similarities and differences exist when comparing the recommendations 
made by both commissions? Are there any recommendations from the 
Challenger investigation that if properly implemented, could have affected the 
issues leading to the Columbia accident? Are there any recommendations from 
the CAIB that could have been identified by the Challenger investigation? For 


1 Presidential Commission on the Space Shuttle Challenger Accident - William P. Rogers Chairman, 
Report of the Presidential Commission on the Space Shuttle Challenger Accident, Washington, D.C. 6 June 
1986. 

2 House of Representatives, Committee on Science and Technology, Ninety-Ninth Congress, 
Investigation of the Challenger Accident (Volume 1 and 2), Hearings before the Committee on Science and 
Technology, Government Printing Office, Washington, D.C., 1986. 

3 United States Senate, Committee on Commerce, Science and Transportation, Ninety-Ninth Congress, 
Space Shuttle Accident, Hearings before the Subcommittee on Science, Technology and Space, Government 
Printing Office, Washington, D.C., 1986. 

4 National Research Council, Post-Challenger Evaluation of Space Shuttle Risk Assessment and 
Management, National Academy Press, Washington D.C. January 1988. 

5 Columbia Accident Investigation Board (CAIB), Columbia Accident Investigation Board Report, p. 

9, Government Printing Office, Washington D.C., 2003. 
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any recommendations that were made by both commissions, is it expected that the 
post Columbia NASA can implement the recommendation more effectively? 

2. Are there factors, that neither investigation identified, that should be considered in 
helping to prevent future catastrophic occurrences in complex engineering 
development projects? 

3. What problems existed in the NASA culture during the times of both accidents? 
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II. THE ACCIDENTS 


A. CHALLENGER’S FINAL MISSION 

Mission 51-L of the Challenger , the 25 th flight of the Space Shuttle Program was 
initially planned for July 1985 and originally delayed until November 1985, once the 
crew was assigned. Further modifications to payload changes and other flight changes 
resulted in a subsequent rescheduling for late January 1986. The mission of 51-L 
included two satellites for deployment, execution of a number of experiments in the crew 
compartment, and the introduction of the Teacher in Space program. Starting on 23 
December 1985 three further postponements of the flight occurred. On that date, the 
launch was slipped from 22 January 1986 to 23 January 1986 due to a slip in mission 61- 
C that preceded 51-L. On 22 January 1986 (the day before the then launch date) the 
launch was slipped to 26 January 1986, again due to work requirements related to the late 
launch of 61-C. The third postponement occurred on the evening before the launch due 
to an unacceptable weather forecast for the 26 th . A launch was attempted on the 27 th but 
was halted due to a problem with an external hatch handle could not be resolved. The 
launch was rescheduled for the 28 January 1986. 

The temperature overnight was forecast to drop into the twenties degrees 
Fahrenheit (F). As this was quite unusually cold for Florida, engineers were directed to 
assess negative effects of the weather on the mission. It was decided to continue with the 
countdown. Early in the morning, an inspection team was dispatched to examine ice that 
had formed in the launch pad area. A second inspection later in the morning resulted in a 
decision to allow more time for the ice to melt. At 11:15 AM, the ice inspection released 
the launch hold at T-9 minutes and an ‘all go’ for launch was achieved. At 11:38 AM, 
the flight of 51-L began. Seventy-three seconds later the flight ended in an explosion that 
destroyed the External Tank and exposed the orbiter to severe aerodynamic loads that led 
to catastrophic failure of the Shuttle. All aboard perished. The technical explanation of 
the accident centered on the failure of the joint between two segments on the right Solid 
Rocket Booster (SRB). The O-rings that were intended to seal this joint from hot gases 
leaking through the joint failed to perform properly, due to the extremely low 

temperatures for the intended launch environment. This leak allowed a flame to emerge 
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from the SRB about one minute into the flight. The flame grew in size and began to 
impinge upon the External Tank. It quickly breached the tank, interacting with hydrogen 
leaking from the tank. This interaction resulted in the eventual destruction of the external 
tank and orbiter, 73.137 seconds after takeoff. 6 

B. COLUMBIA’S FINAL MISSION 

The 113 th mission of the Space Shuttle Program, and the 28 th flight of the 
Columbia , was mission STS-107. This was a purely scientific mission, dedicated to the 
performance of a variety of micro gravity and life science experiments, as well as a joint 
U.S./Israeli space experiment. The Columbia, which flew the first Space Shuttle mission 
STS-1, was chosen for this mission because its configuration did not allow it to dock with 
the international space station, so it did not fly on the space station missions. However, 
because of its cargo capabilities, it was better suited for science missions. 

The STS-107 mission launched on January 16, 2002, and began its doomed 
seventeen-day mission. The day after the launch, photographic analysis determined that 
at 81.9 seconds after launch, a large piece of insulating foam separated from the External 
Tank, and struck Columbia" s left wing at a relative velocity of 416 to 573 miles-per-hour. 
After completing seventeen days of experiments, the orbiter began preparations to return 
to earth on 1 February 2002. During the decent and reentry, the damage caused by the 
foam impact caused a failure of the Thermal Protection System, which allowed 
superheated air to impinge upon the wing’s internal aluminum structure, causing a failure 
of the wing, loss of control of the orbiter, and eventual breakup destroying the orbiter and 
taking the lives of the seven-member crew. 

Like the pre-launch meetings before the Challenger" s final flight, where NASA 
had the opportunity to make a decision the may have changed the outcome of the 
mission, NASA had several meetings and opportunities to determine the extent of the 
damage to the orbiter after they discovered there was an impact during launch. There 
were three requests for imaging of the Columbia while in orbit to try to determine if the 
debris strike had visibly damaged any critical thermal tiles. Each request was denied by 
NASA’s upper management. 

6 Presidential Commission on the Space Shuttle Challenger Accident, p. 38. 


6 



Per NASA’s guidelines, a Debris Assessment Team was formed to review 
situation surrounding the foam impact during launch. Although their requests for 
imaging were denied, they concluded that some heating might occur as a result of tiles 
damaged during the foam impact; however, their analysis did not conclude that there 
would be structural damage to the orbiter. The debris strike was considered a 
maintenance issue, and was not a concern to management. The reentry was treated like 
any other. 
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III. THE INVESTIGATIONS 


A. BACKGROUND 

In response to the Challenger accident President Ronald Regan appointed 
William Rogers to lead the Presidential Commission on the Space Shuttle Challenger 
Accident (The Rogers Commission). In his letter to President Reagan, submitting the 
Commission’s report, Rogers states “Our objective has been not only to prevent any 
recurrence of the failure related to this accident, but to the extent possible to reduce other 
risks in future flights .” 7 Although the Commission’s mandate from the President was an 
investigation of the Challenger accident and the development of recommendations for 
corrective action, it is clear that the Commission viewed its mandate as broad; to matters 
beyond the accident that would make future flights safer. While it is certainly not 
appropriate to lay future accidents in the hands of this commission, it is appropriate, in 
light of the Columbia accident, to determine if any of the Commission’s findings applied 
to Columbia accident or if any of the factors determined to be at the cause of the 
Columbia accident went unnoted during the Challenger investigation. 

To determine the causes of the Columbia accident, the Columbia Accident 
Investigation Board (CAIB) was formed. As with the Rogers Commission, they viewed 
their mandate as determining the causal factors as well as the physical factors responsible 
for the accident. Although they never place the blame on any commissions that came 
before them, the Columbia Accident Investigation Board (CAIB) does review many of 
the previous findings in an attempt to determine if they could have had a positive or 
negative impact on events leading up to the Columbia accident. “The Board’s conviction 
regarding the importance of these factors strengthened as the investigation progressed, 
with the result that this report, in its findings, conclusions, and recommendations places 
as much weight on these causal factors as on the more easily understood and corrected 
physical cause of the accident .” 8 


7 Presidential Commission on the Space Shuttle Challenger Accident, p. 1. 

8 CAIB, p. 9. 
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B. INVESTIGATIONS OF THE CHALLENGER ACCIDENT 

1. Overview 

The Rogers Commission found that the loss of the Challenger was ultimately 
caused by a failure in the joint between the two lower segments of the right Solid Rocket 
Booster (SRB). Of the sixteen findings presented by the Commission as the “Cause of 
the Accident,” all dealt in some respect with the technical rational for why they 
determined this was the cause. However, of the nine recommendations that the 
Commission made to the President and NASA to help assure the return to safe flight, 
only Recommendation I dealt specifically with the redesign of the faulty SRB joint. Four 
other recommendations (III, VI, VII, and IX) dealt with additional technical and 
maintenance issues, unrelated to the SRB, which were uncovered during the 
investigation. The remaining four recommendations related to organizational, 
management and communications changes with in NASA. These recommendations 
arose out of the broader mandate that the Rogers Commission adopted “...to reduce other 
risks in future flights.” 9 None of the recommendations dealt with the political 
environment within which NASA operates (Congress, President’s Budget, political 
process, and scarce resources). In fact, in the Preface to its report, the Commission stated 
“...the Commission did not construe its mandate to require a detailed investigation of all 
aspects of the Space Shuttle program; to review budgetary matters ... or supersede 
Congress in any way.” 10 The four non-technical recommendations arose from the 
broader investigation of the accident that looked for contributing causes, historical 
context, NASA’s safety program, and pressures on the Space Transportation System. 
The following sections will present and review the Commission’s findings and 
recommendations that developed from this broader investigation. This examination will 
be used to determine to what extent the Commissions findings comprehensively 
identified factors that contributed to the accident or needed to be changed to prevent 
future accidents. The investigation of this section is limited to those areas that the 
Commission viewed within their mandate either by explicitly stating as such or by 


9 Presidential Commission on the Space Shuttle Challenger Accident, p. 1. 

10 Ibid. 
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implication due to the topics presented in their report. Presentation and discussion of 
areas of that went beyond the mandate of the Commission will be offered in the analysis 
section. 

2. Contributing Causes of the Accident 

The Rogers Commission analysis of contributing causes of the accident identified 
flaws in the decision making process with regard to decision to launch. It has become the 
popular perception that the Challenger accident was a combination of a technical flaw 
with a flawed decision to launch made by those unaware of the recent history of problems 
concerning the SRB joint. Later in this paper, we will examine the validity of the 
perception of the flawed launch decision; for now we will present the Rogers 
Commission basis for this finding since this had a profound impact on the 
recommendations made by the Rogers Commission. 

On the eve of the launch of the Challenger , a teleconference was convened to 
allow Morton Thiokol (the manufacturer of the SRBs) engineers to express their concern 
about launching in the cold weather that was expected the next day. The temperature was 
predicted to be in the low twenties degrees (F) at Cape Canaveral at launch time. The 
Thiokol engineers were responding to a request from NASA to assess the effects of the 
cold on the SRB performance. The Thiokol engineers had expressed concern that the 
resiliency of the O-rings would be affected by the cold, and that a known O-ring erosion 
problem would be made worse, threatening flight safety. The teleconference involved 
Thiokol and two NASA Centers - Marshall Space Flight Center (responsible for the 
SRBs) and Kennedy Space Center (responsible for the launch). At this teleconference, 
Thiokol indicated they thought launch should be delayed until afternoon, when the 
temperatures would be higher. In response to this recommendation, a second, more 
formal, teleconference was scheduled for later that same evening so that more personnel 
could be informed, and a launch decision could be made. 

At this teleconference, Thiokol stated that the O-rings would be slower to seal 

than on the previous coldest launch, which had been fifty-three degrees F, when 

significant O-ring blow-by had been observed. Therefore, it was recommended that the 

launch not be conducted at temperatures below fifty-three degrees F. In response to the 

recommendation, NASA representatives at both Marshall and Kennedy began to question 
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Thiokol’s position based on the fact that there was current no Launch Commit Criteria 
(LCC) for SRB joint temperature. Thiokol’s management was pressed for a clarification 
by NASA. Thiokol then requested an off-line, Thiokol only discussion, before 
responding. What ensued was a management decision that resulted in a change in the 
Thiokol position to one of recommending launch. The NASA participants accepted the 
revised recommendation. Thiokol’s concerns were not communicated to the Level II 
Flight Readiness Review (FRR) authority, the Manager, National Space Transportation 
Program. The Commission indicates in its findings that “had matters been clearly stated 
and emphasized in the flight readiness process ..., it seems likely that the launch of 51-L 
might not have occurred when it did.” 11 This assertion is central to many of the 
recommendations made by the Commission; however, others who have investigated the 
launch decision disagree with this assertion. Diane Vaughan, a sociologist who has 
written at length on the underlying reasons behind the Challenger accidents, writes, “Yet 
communication problems were an inadequate explanation of the launch decision.” 12 

Vaughan’s investigation revealed that in the minds of those involved with the 
launch decision as a result of the teleconference, that there was no need to elevate the 
decision because it was a Level III FRR issue, which had been resolved at that level. As 
such, and because it did not involve a violation of any existing LCC, it did not need to be 
communicated to a higher level. Further, those individuals higher in the readiness 
approval process are dependent upon those at the lower levels to provide information and 
analysis to make their decisions. By the time the teleconference was completed the 
documentation indicated consensus between the organizations participating in the 
teleconference. By identifying the resulting action from the teleconference as “a serious 
flaw in the decision making process,” the Commission did not provide sufficient basis for 
correcting the underlying reason that the information provided by Thiokol engineers on 
the eve of the launch did not result in a decision to delay the launch. 

The Rogers Commission’s Recommendation II appears to be a direct result of the 
perceived flawed launch decision process. This recommendation included modifications 

11 Presidential Commission on the Space Shuttle Challenger Accident, p. 1. 

12 D. Vaughan, The Challenger Launch Decision, p. 11, The University of Chicago Press, Chicago, 
1996. 
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to the shuttle management structure and establishment of an STS Safety Advisory Panel. 
The proposed changes in the shuttle management structure were focused on the fact that 
various elements of the Shuttle program felt more accountable to their center 
management that to the overall Shuttle program organization. The recommendation was 
to strengthen the Shuttle Program Manager position by placing all program funding and 
all Shuttle Program work at the NASA Centers, under Program Manager’s authority. The 
charter of the STS Safety Advisory Panel advocated in this recommendation was to 
include Shuttle operational issues, launch commit criteria (LCC), flight rules, flight 
readiness, and risk management. The STS Safety Advisor Panel would report directly to 
the Shuttle Program Manager. 

Recommendation V, Improved Communication, also arose as a result of the 
Commission’s investigation of contributing causes of the accident. The rational for this 
recommendation flows from the tendency for isolation at the various Space Centers with 
respect to communication, especially of problems, to higher levels. This is the only 
recommendation from the Commission that specifies possible personnel action as a result 
of the accident, when it recommended these tendencies should be addressed “...by 
changes of personnel, organization, indoctrination or all three.” 13 The assertion by the 
Commission that the communication problems bordered on misconduct will be analyzed 
in more detail later in this paper. 

During the investigation of the contributing factors of the accident, the Rogers 
Commission found that the “NASA appeared to be requiring a contractor to prove that it 
was not safe to launch, rather than proving it was safe.” In his discussion of the launch 
decision process, McConnell states, “Rather than demanding that all those supporting the 
launch prove that conditions were safe, the senior members of the launch team demanded 
that their subordinates and the contractor representatives prove that is was not safe to 
launch” 14 . Interestingly, seventeen years later, in laying out the priorities for returning to 
flight after the Columbia accident, NASA Administrator Sean O’ Keefe indicated that a 


13 Presidential Commission on the Space Shuttle Challenger Accident, p200. 


14 M. McConnell, Challenger A Major Malfunction, p. 210. Doubleday and Company, Garden City, 
NY, 1987. 
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shift was once again needed from “prove to me that it’s not safe” to “prove to me that it is 
safe.” 15 The reasons behind this apparent illogical pattern will be examined in more 
detail in this report. 

3. Historical Contexts 

The Rogers Commission devotes a section of its report to the historical contexts 
of the accident. According to the Commission’s report, the accident “began with 
decisions made in the design of the joint and in the failure by both Thiokol and NASA’s 
Solid Rocket Booster project office to understand and respond to facts obtained during 
testing.” 16 For purposes of the analysis presented here, since the Commission includes 
the impacts of historical design decisions in its investigatory findings, it is appropriate to 
consider the extent to which there findings were complete. Other investigators of the 
Challenger accident trace the historical roots back much further than did the Rogers 
Commission. McConnell indicates that during negotiations in the early 1970’s, in order 
to get approval from Congress, NASA was forced to compromise on the Shuttle design. 17 
Vaughan points out, regarding the final design decision, “The final design was far from 
NASA’s original concept.” 18 Although NASA was given responsibility (and would 
ultimately be accountable) for reaching the Nation’s space goals, the ability to 
accomplish these goals had been constrained by other organizations within the 
environment that NASA had to operate. Joseph Trento, in his book “Prescription for 
Disaster,” states that the shuttle would have to be a “politically acceptable machine.” 19 
This was in stark contrast to the freedom and seemingly limitless budget that NASA was 
given to achieve its goals and meet the Nation’s aspirations in the Apollo program. 

While the Rogers report goes on to present six findings related to the historical 
context of the accident, all of the findings relate to the SRB joint design. There is no 
discussion offered in the report concerning the fact that the Shuttle that was eventually 
produced by NASA was not considered the best technical solution to the mission. The 

15 M. Wims, “NASA must ‘move forward,' leader says, ” The Providence Journal, p. B-l, 7 Sept 03. 

16 Presidential Commission on the Space Shuttle Challenger Accident, p. 148. 

17 McConnell, p 38. 

18 Vaughan, p 22. 

19 J.J. Trento, Prescription for Disaster, p. 96. Crown Publishers, Inc, New York, 1987. 
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preferred concept that NASA envisioned was a completely reusable two-stage system. 
This concept consisted of a manned first stage, large, winged rocket booster, which 
would carry a smaller, winged, manned orbiter. Each vehicle would be returned for 
landing by its crew after the mission and would be refurbished for the next mission. This 
Space Shuttle concept was acknowledged as a very expensive approach, with high 
Research and Design (R&D) and non-re-occurring costs, but less expensive to operate, 
long term. When NASA was told that its design was unaffordable, NASA embarked 
down the path of compromise that has led to the vehicle they operate today. 

There are several important aspects of the original design that were eventually 
changed for the final design that relate to the Shuttle accidents, which went 
unacknowledged by the Rogers Commission. First, all of the propulsion systems in the 
original design were to have been cryogenic liquid propellants; which would have 
avoided the difficulties associated with designing and operating solid rocket boosters. 
When NASA began to compromise the design in order to keep the project alive, one of 
the first changes was to make the system “partially” reusable by using an expendable, 
external tank to feed the orbiter’s engines and two strap-on reusable boosters to provide 
the required lift-off thrust. However, the design studies indicated that due to the 
extensive rework requirements associated with the plumbing systems after a water impact 
recovery, a liquid-rocket booster design would be unable to meet the rapid turn around 
requirements for the boosters. 20 Cost studies also indicated that the liquid systems would 
be more expensive than solid rockets 21 . Therefore, the external boosters shifted to a solid 
propellant design in order to make the Shuttle affordable enough to build. According to 
Trento, experts such as Von Braun viewed the decision to use solid rockets as a 
dangerous one. 22 Solid rockets once initiated, could not be shut down. The design of the 
SRBs, as they came to be known, was driven by the need to transport the boosters from 
the manufacturing facility to the launch complex in Florida. As a result, the segmented 
design emerged, with the joint/O-ring design that was ultimately blamed for the 
Challenger accident. 

20 McConnell, p. 210. 

21 Trento, p. 114. 

22 Trento, p. 107. 
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The second aspect relates to differences in the orbiters envisioned in the original 
design versus the orbiters that are currently in use. The original orbiter design included 
with the piloted, winged booster was much smaller than the orbiter eventually built. 
Because of the capability of the original booster, the orbiter did not need to have as 
powerful engines as the current orbiter. However, the change in the booster concept 
resulted in growth in the size of the orbiter. A more profound impact to the orbiter design 
was made to ensure buy-in from the Air Force. In order to meet the needs of the Air 
Force, the orbiter had to be able to perform a thousand-mile cross range capability on it 
reentry glide path. 23 The original NASA design was for a slow, straight-wing glider that 
could not meet this requirement. Instead, in order to ensure support of the Air Force, 
NASA redesigned the orbiter; resulting in the high-speed, delta-winged orbiter that was 
eventually built. This new design needed to employ an extreme glide slope and land at 
extremely high speeds. The implications of the change in design had profound impacts 
on the performance of the orbiter during reentry. The design solution of lightweight 
silicon tiles to solve the heating problem of reentry emerged during the design of the 
original orbiter. In fact, the short fuselage configured with straight, high-lift wings of the 
original orbiter design was well suited to the use of the tiles. However, the redesigned 
delta-wing concept considerably increased the complexity of this approach and created 
unusual stresses and vibrations that did not exist in the original design. 24 Additionally, 
the delta-wing orbiter needed to maneuver at much higher speeds during reentry than the 
original design. This exposed the shuttle to higher temperatures for longer durations. 
The response to this was to increase the density of the protective tiles. 25 The factors 
associated with the design changes on reentry dynamics and implications on protective 
tiles were not a factor in the Challenger accident, and none of the findings or 
recommendations made by the Rogers Commission resulted from these factors. 
However, the relationship to the Columbia accident, particularly as it relates to the orbiter 
redesign, needs to be further explored. 


23 McConnell, p. 37. 

24 Ibid., p. 40. 

25 Ibid., p. 39. 
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Although, the Rogers Commission’s recommendation VII called for NASA to 
make all efforts to provide a crew escape system for use during controlled flight there 
was little discussion in the Commissions report documenting the history of the crew 
escape options investigated. NASA spent considerable time and effort investigating 
modifications to the shuttle that would incorporate an escape system, it was determined to 
be unrealistic to modify the existing shuttle design. Since this is one of the 
recommendations that was not implemented by NASA in the years following the 
Challenger accident, it is worth investigating other authors’ findings in this area relating 
to historical decisions that lead to the current design. All previous manned spacecraft, 
preceding the shuttle, had been fitted with the ability to extract the crew capsule in the 
early stages of the mission. 26 Accordingly, it was the going in position in the early days 
of the design, that the Space Shuttle would also have provisions for crew escape. 
Rockwell had conducted a study of ejection seat options for the shuttle in 1971. 
Depending on the source, the reason for not implementing an escape system was either 
cost 27 ($10M for an ejection seat to $292M for a full crew compartment escape) or added 
weight. 28 The added weight had emerged from the change to the delta-wing orbiter and 
the subsequent large increase in the number and weight of tiles, another design 
compromise that was now being dealt with by another design compromise due to 
confidence “that enough safety could be engineered into the space shuttle’s propulsion 
system to obviate the need for escape rockets.” 29 

The Commission labeled another contributing factor in the Challenger accident, 
which has its roots in the history of the Space Shuttle program, as “Pressures on the 
System.” The Commission found that the Shuttle program was unable to meet the flight 
rate schedule due to a number of factors. However, this fact was never organizationally 
acknowledged by NASA in the years leading up to the Challenger accident in order to 
maintain support for the Shuttle program within the environment within NASA operated. 
This resulted in an underlying stress on the system, and those working within it, to meet 

26 McConnell, p. 39. 

27 Trento, p. 138. 

28 McConnell, p. 40. 

29 Ibid., p. 40. 
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expectations. However, the Commission claims that “NASA had not provided adequate 
resources for its [the flight rate] attainment.” 30 However, the Commission did not 
investigate the reason why NASA did not have sufficient resources due to its 
interpretation of its mandate as not including “to review budgetary matters. 31 ” In spite of 
this exclusion it is notable that included in the Appendix material to the Commission’s 
report are personal observations from R.P. Fryman, one of the Commission Members 
who maintains that management tends to underestimate the probability of failure in “an 
attempt to assure the government of NASA perfection and success in order to ensure the 
supply of funds.” 32 Arising from the Commission’s review of these pressures was 
Recommendation VIII - Flight Rate. In this recommendation, NASA was directed to 
establish a flight rate that was consistent with its resources. In response to this 
recommendation, NASA formed the Flight Rate Capability Working Group that was 
tasked to develop to determine a realistic flight rate and set out to develop a more rigid 
cargo manifest policy, to reduce the impact to cargo manifest changes on flight 
preparation. Separately, the National Research Council was asked by the House of 
Representatives to assess the flight rate capability of the Shuttle system. 33 In NASA’s 
report on Implementation of the Recommendations NASA indicated that their projection 
was a maximum capability of fourteen flights per year (assuming a replacement orbiter 
for Challenger) and that the NRC determined that an eight to ten flight/year rate was 
sustainable with three orbiters or eleven to thirteen with four orbiters. 34 However, in 
neither NASA’s response nor implementation report was there any discussion relating to 
the fact that any flight rate requirement will continue to impose pressure to meet the 
flight rate, and thereby influence the culture of the agency of bowing to schedule 
demands. In fact, the most flights ever achieved after 1986, leading up to the Columbia 


30 Presidential Commission on the Space Shuttle Challenger Accident, p. 164. 

31 Presidential Commission on the Space Shuttle Challenger Accident, p. 1. 

32 Ibid., Volume II, Appendix F, p. F-4. 

33 National Research Council, Post-Challenger Evaluation of Space Shuttle Risk Assessment and 
Management , National Academy Press, Washington D.C., January 1988. 

34 National Aeronautics and Space Administration (NASA), “Actions to Implement the 
Recommendations of The Presidential Commission on the Space Shuttle Challenger Accident,” 
Government Printing Office, Washington, D.C., July 1986. 
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accident was nine flights in 1998. Between 1994 (when the Implementation report 
indicated that full capability would be achieved) and 2002, the agency averaged a little 
more than six flights per year. 

While the Commission report breaks out its discussion of “Pressures on the 
System,” as distinct from its discussion of the historical context, the two are inseparable. 
While the effects of this pressure will be elaborated later in this paper, it is appropriate to 
record the development of these pressures in a historical context, which was not done by 
the Commission. As the space program transitioned from the Apollo program (which had 
received almost unconditional congressional and public support) to the Shuttle program, 
NASA increasingly found itself trying to sell the Space Shuttle as economical and self - 
supporting. The Office of Management and Budget (OMB) had demanded that the 
shuttle be proved economical, and NASA produced studies that provided the needed 
justification. In the earliest stages of conceptualization of the “Space Transportation 
System,” turn around times as short as two weeks were cited. 35 Later, as NASA 
continued to be pressured to show Congress and the OMB that the final, ‘partially’ 
reusable shuttle design would be cost effective, they commissioned the research firm 
Mathematica to study Shuttle program economics. The Mathematica study indicated that 
the shuttle would pay for itself if it flew as few as thirty flights a year. 36 After the Space 
Shuttle was declared “operational” in 1982, it was clear that the economies of the Space 
Shuttle laid down in the early days, were not going to be met. Nevertheless, in 1982 
NASA projected a flight rate of twelve in 1984, fourteen in 1985, seventeen in 1986 and 
1987 and reaching twenty-four in 1988. However, what was actually achieved was just 
five in 1984 and eight in 1985. What NASA found as it transitioned from the 
developmental stage of the program to the “operational” status is that the budget did not 
follow; the budget that controlled facilities and equipment did not support the needs of a 
mature system. In fact, NASA sent out invitations to bid on the shuttle operations 
program to United Airlines and American Airlines 37 ; an indication of the level of 
maturity that NASA felt had been reached in the shuttle program. Resources that 

35 McConnell, p. 33. 

36 Ibid., p. 41. 

37 Email correspondence from ADM (Ret) Donald Eaton, 10 February 2006. 


19 



previously had been devoted to a single flight were now spread across multiple missions. 
This was the setting entering 1986 and resulted in the pressures to achieve the flight rate 
in order show that the Shuttle could be economically viable. NASA’s proud heritage also 
added to these pressures as the agency tried to maintain its positive public image in the 
face of several high profile (and at times embarrassing) events. A series of seven delays 
had plagued the Columbia mission that immediately preceded the Challenger launch. In 
addition, NASA was battling criticism from the scientific community that NASA had 
reduced its commitment to scientific exploits in favor of operation of a “Space Truck.” 
As Vaughan states, “externally generated pressures on the organization were met with 
internally generated ones increasing system stress.” 38 

4. Safety 

Another major portion of the Rogers Commission report was devoted to what it 
called the “Silent Safety Program.” The Commission’s findings with respect to the safety 
program indicate that during investigatory questioning, the safety staff was never 
mentioned. In particular, they cite the lack of involvement of safety, quality assurance, or 
reliability personnel in the teleconference that led to the launch decision for Challenger. 
Two of the major findings were that NASA had reduced the work force in these areas, 
severely limiting capability, and that the organizations that did exist had been placed 
under the supervision of the activities whose efforts they were monitoring. As a result of 
these findings, Recommendation IV was made by the Commission, centering on the 
Safety organization. Specifically, the Commission calls for the formation of an Office of 
Safety, Reliability and Quality Assurance that reports directly to the NASA 
Administrator, independent of other NASA functional and program responsibilities. 
Further, the recommendation calls for this office to be staffed with adequate resources. 
The relevance to this recommendation to the Columbia accident will be discussed in 
more detail later in this paper. 

While it is undeniable that inadequate attention to safety considerations played a 
role in the Challenger accident, by the limitations on the Commission’s mandate the 
underlying reasons for the state of the safety program were perhaps not fully investigated. 
The Commission found that the “exactingly thorough” procedures that existed during the 
38 Vaughan, p. 30. 
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Apollo program had become ineffective by 1986 and this seriously degraded the checks 
and balances required for proper flight safety. Other investigators also found that this 
trend, but delved further into the reasons. Just as NASA compromised the design of the 
Space Shuttle for the purposes of making the Shuttle politically acceptable, in the very 
early stages of the program NASA also cut spending on safety testing for shuttle 
components in a move to economize 39 . While this approach diverged from that of the 
Apollo program, NASA’s view was that this was acceptable due to the agency’s 
experience base in space flight. Once again, the difference between the almost unlimited 
budget for the Apollo program and the highly scrutinized budget for the Shuttle program 
certainly played a role in the how NASA approached the development of the Space 
Shuttle. Many investigators of the Safety philosophy at NASA in the early Shuttle days 
agree with Howard McCurty who found that NASA culture had not abandoned safety 
principles that existed in the original agency, but it had been eroded due to difficulties in 
carrying out the practices associated with those principles as compared to the Apollo 
program. 40 According to Vaughan, NASA had experienced a move away from a 
technical emphasis towards management of contractors. 41 According to Trento, as time 
went on this situation deteriorated, with NASA losing the capability to technically verify 
contractor’s work by the end of 1980. At this time, NASA became dependent upon the 
military for many of its inspections, and many of the NASA safety veterans were 
leaving. 42 

The findings and recommendation of the Commission centered upon a lack of a 
safety program, and the fact that the safety organization was embedded in the 
organization it was to regulate. At the time of the accident a review of the safety 
organization within NASA would have revealed a safety organization at each Center 
known as the Safety, Reliability, and Quality Assurance Program (SR&QA) and the 
Space Shuttle Crew Safety Panel (SSCSP) which was a made up of representatives from 
across NASA. The SR&QA were responsible to the individual Centers in that Center’s 

39 D. Stuart, “NASA Cut or Delayed Safety Spending,” New York Times, 24 April 1986. 

40 H.E. McCurdy, Inside NASA: High Technology and Organizational Change in the U.S. Space 
Program, Johns Hopkins University Press, Baltimore 1993. 

41 Vaughan, p. 210. 

42 Trento, p. 176. 
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area of expertise, whereas the SSCSP was tasked specifically with identifying hazards to 
the crew and advising shuttle management. While these organizations could be 
considered internal regulators, a third panel the Aerospace Safety Advisory Board 
(ASAP) which was formed as a result of the Apollo 1 launch pad fire, was made up of 
outside experts. Neither the SSCSP (which was less embedded than the SR&QA) nor the 
ASAP identified the O-ring problems with the SRB, despite their different organizational 
alignments. The only group that did identify the problem was the SR&QA engineers; the 
most organizationally embedded of the three panels. However, due to their dependency 
on the work group within they existed, they were influenced by the organizational view 
of the problem and concurred with the work group’s analysis of the situation. 

The preceding discussion concerning the safety organizations that existed at the 
time of the Challenger accident is indicative of some of traits of regulatory groups that 
may not have been fully considered by the Commission in their findings and 
recommendations. Vaughan gives an excellent comparison of the relative strengths and 
weakness of internal versus external regulation, and why neither is entirely effective. 43 
External groups exhibit the desired trait of autonomy and as such are able to bring to the 
evaluation a fresh viewpoint and ability to make judgments without regard to 
organizational consequences. One would expect that these are the traits that the 
Commission was after in its recommendation to establish a new Safety Office at the 
Headquarters level. This sort of recommendation is very often the response to an 
undesired outcome that investigators determine could have been prevented by higher- 
level scrutiny. However, such recommendation must reconcile the downsides of an 
external regulatory body. One such downside is that the external body often has limited 
access to information that is vital to its oversight and has a difficult time fully 
understanding the implications of what it does access. While it is possible that this could 
be due to a conscious attempt by the regulate to withhold information it is just as often 
related to the fact the external agents are not continuously present as the information 
emerges and analyzed. As a result the external regulator often becomes dependent upon 
the organization it is regulating for both information and interpretation; the very 
phenomena that the outside organization was created to prevent. On the other hand, the 
43 Vaughan, p. 265. 
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internal regulator has definite advantages with respect to uncovering and investigating 
problems because they have more timely access and understanding to the information that 
will reveal problems. However, the downside (well recognized by the Rogers 
Commission and others) is the interdependence the regulators share with the parent 
organization for resources and the shared organizational goals that lessen the 
aggressiveness of the regulator. 

The ASAP is an excellent example of an external regulatory group that was 
established to avoid some of the pitfalls of interdependence but in terms of the O-ring 
problem was ineffective. The SR&QA groups are excellent examples of what needs to 
be considered when an internal regulator is established. The Commission blamed the fact 
that inadequate resources had been provided to the SR&QA staff, and that the staffs had 
been reduced. While it is clear that NASA’s trend toward decreasing emphasis on safety 
needed to be addressed by the Commission, it is not clear that their recommendations by 
themselves would correct the problems. Nor is it clear that had more people been 
assigned in the role of safety within the organizations that existed at the time of the 
Challenger accident that the situation would have been altered. There were plenty of 
individuals who participated on a daily basis in the evaluation of the O-ring design and 
associated launch anomalies who agreed with the organizational position. The 
Commission’s response to this was to enforce safety by having it reviewed at a higher, 
autonomous level. However, for the reasons presented above, this solution is difficult to 
ensure success. The ability of this new safety structure to improve safety in the Post 
Challenger years will be explored in more detail in relationship to the Columbia accident 
later in this paper. 

5. Other 

In addition to documenting the primary technical cause of the accident and the 
contributing aspects discussed above as well as issuing recommendations to reduce these 
causes, the Rogers Commission felt compelled to dedicate a section to additional safety 
considerations that arose during the investigation. These matters did not factor into the 
accident that befell mission 51-L, but held the possibility for safety problems in the 
future. The first area of specific safety findings and recommendations dealt with the 
ascent phase and the fact that there is not capability for crew escape and Orbiter abort 
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capabilities. The second area of specific safety findings and recommendations had to do 
with landing operations. It is important to note that the issues with respect to landing had 
to do tires, braking, steering, and landing criteria at Kennedy versus Edwards. Although 
entry of the Shuttle was acknowledged as dynamic, demanding, and high risk, reentry 
was not considered as part of the landing safety concerns. 


C. POST CHALLENGER INVESTIGATIONS 

The Challenger accident has spurred numerous analyses, investigations, research, 
and publications seeking to leam from the accident in terms of its technical, political, and 
organizational lessons. While the Rogers Commission and Congressional investigations, 
by there nature, had to respond to the accident quickly in order to restore the United 
States Space Program, these subsequent analyses had the benefit of a longer period of 
time, and from the position of the investigators being autonomous and “outsiders.”. 
Therefore, these analyses offer important insight into the causes of the accident. Where 
the analysis from these sources directly related to the findings and recommendations of 
the Rogers Commission, those analyses were presented along with the Commissions 
findings and recommendations in the previous section. However, there are several areas 
that these analyses identify that did not have a parallel in the report of the Commission. 
Those findings are presented here to provide insight into areas to permit these analyses to 
also be considered with respect to the objectives of this paper. 

According to Vaughan, her initial intent in studying the Challenger accident was 
to investigate occurrences of organizational misconduct or amoral calculation that had 
been alleged in many reports on the Challenger accident. These allegations arose in the 
Rogers report in terms of the withholding of information during the launch decision on 
the eve of the launch, the decision process related to the design of the SRB joints, and the 
suppression of technical data indicating flaws in the design. These allegations also arose 
in the House Committee on Science and Technology report that indicated the launch 
decision was a result of “management incompetence. 44 ” However, as Vaughan analysis 

44 House of Representatives, Committee on Science and Technology, Ninety-Ninth Congress, 
Investigation of the Challenger Accident, Report of the Committee on Science and Technology, 

Government Printing Office, Washington, D.C., 1986. 
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unfolds she asserts that those involved in the both the launch decision and the technical 
assessment of the SRB joint did not represent examples of organizational misconduct or 
amoral calculation, but rather were products of the culture and norms of the agency itself. 

Vaughan’s analysis centers on the concept of gradual acceptance of risk and 
normalization of deviance. NASA practiced a process of determining Acceptable Risk. 
This was a formal process of conferring a risk status on each component. Hazards that 
could not be eliminated or controlled were subjected to a formal risk assessment. A 
component could be classified as an Acceptable Risk only on the basis of documented 
analysis of the problem, the probability of its recurrence, and data supporting a 
conclusion of acceptable risk. The work group that made decisions concerning the SRB 
joints conformed to NASA’s procedure for hazard analysis. In fact, many components of 
the Space Shuttle were routinely flown under the category of “acceptable risk.” 

The SRB design decision is an example of the normalization of deviance. This 
concept is that based on the fact that when a group shares expectations of a certain result, 
the group will tend to continue to believe these expectations even when faced with 
contrary evidence. As the Rogers report correctly indicates there had been numerous 
examples of O-ring erosion and blow-by over the years, however this behavior was 
explained in each case and used to demonstrate the fact that the design was in fact robust. 
That is, the system had held together even in light of a history of erosion and blow-by. 
Interestingly, the work group who approved the launch was the same group that had 
normalized the deviant results on the booster joints over the years. The first step down 
this road was taken prior to the first flight, when after significant analysis of the SRB 
joint, based upon concerns expressed by NASA engineers, the SRB was certified as flight 
worthy. The engineers who had conducted the analysis had made a slight design 
correction and believed they understood the joint dynamics and that it was an acceptable 
risk. 45 This marked the first example of accepting the risk and many attempts to correct 
the design rather than redesign; eventually this became the accepted response to abnormal 
behavior of the joints - tweak the design, but don’t stop and take a hard look at what is 
fundamentally going on. Vaughan states, “The first decision establishes precedent that 

45 Vaughan, p. 107. 
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becomes a normative standard for future decisions in similar cases, paving the way for 
development of a pattern.” 46 Eventually if an individual questions the precedent and tries 
to introduce a new decision criteria, as the Thiokol engineers did on the eve of the 
Challenger launch, it can cause a loss of face and result in group pressure to conform to 
the norms. 

The formal Challenger investigations cited failures in communications during the 
Flight Readiness Review (FRR) process to elevate the problems of the SRB joints. 
However, in presenting the FRR process, Vaughan offers some reasons for this and 
relates the result to the acceptance of risk process within NASA. The FRR process was a 
very formal process that progressed through increasingly higher levels bringing in more 
and more aspects of the Shuttle program at each level and raising the level of the 
approving official at each step. There are a couple of major factors that relate to the 
ability of the FRR to have played a role in the SRB joint issue. First, at each step in the 
process the content was by necessity reduced in order to keep the reviews manageable. 
Each level became more problem oriented as the reviews progressed up the line. As 
problems were deemed solved there was less reason to pass the information along. There 
were rules for the type of information that was carried forward to the final two FRR 
levels. One of these rules forms the second major factor. That rule is that only changes 
or deviations from what was previously understood or done were to be reported. The 
reverse of this was also true; previously disclosed issues that had not changed status were 
not reported. This was known as the “Delta concept” within the FRR process. This 
meant that once the SRB joint issue was raised it was not necessary to raise it again as 
long as its performance was consistent with earlier behavior. In 1984, the O-ring erosion 
was raised to the highest levels of the NASA FRR process due to a change in the way that 
O-rings were to be tested prior to the next flight. At this FRR, the previous erosion 
experience base was presented. The recommendation to the top level FRR was to accept 
the possibility of some O-ring erosion due to hot gas impingement. All levels had been 
informed of the problem, the rationale for accepting risk, and the fact that erosion was 
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expected on future flights. The Delta approach meant that unless the technical basis for 
what had been presented changed there was no need to present the erosion issue at future 
FRRs. 

It is a central theme in the Rogers report and the Congressional investigation that 
there were rule violations as part of the launch decision and SRB joint technical 
reporting. The implication of these rule violations is that they failed to inform the higher- 
ups about problems, and if the information had flowed up, that the decisions would have 
been different. However, according to Vaughan based on her investigation of the policies 
in place at the time, there were no rule violations. 47 Her contention is that the decisions 
were within the norms of the NASA organization. The Level I and II FRRs preceding the 
Challenger launch had no mention of the SRB anomalies that conformed to the Delta 
Concept. After the Columbia returned just prior to the Challenger launch, additional 
erosion was found on the joints, however it was within the experience base and served to 
further affirm redundancy and robustness of design. 

Vaughan also makes some other points concerning the culture of engineers and 
how it may have contributed to the accident. One aspect is that within engineering 
groups the viewpoint often is “Change is bad.” 48 This viewpoint comes from the 
uncertainties of a new design and the unknown evils versus those that are known. This 
played a role in not wanting to redesign the shuttle joint. Another aspect has to do with 
the reliance on solid data in making engineering decisions. In both the decision on the 
eve of the launch and an earlier discussion on the effects of cold, 49 the Thiokol engineers 
proposed a correlation between cold temperatures and O-ring damage but were unable 
positively influence the decision makers due to a lack of solid data or concrete influence. 
In this early discussion, there was only a weak relationship of cold to damage and it was 
observational as opposed to quantifiable. When combined with the low likelihood of 
cold temperatures at the Cape, the effect of cold was dismissed. 

In Trento’s analysis of the Challenger accident, he reports on events surrounding 

the first flight of the Challenger that went unreported by the Rogers Commission as they 
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were unrelated to the Challenger accident, but they are quite relevant when viewed in the 
context of the Columbia accident. Trento reports that on the first flight, “Tiles were 
missing from the aft right orbital maneuvering pod of the shuttle.” 50 The heat protection 
experts became worried by this and set out to investigate the magnitude of the problem. 
At this point, the shuttle was not authorized for extravehicular excursions. As result of 
the concern the Air Force offered to attempt to photograph the orbiter with powerful new 
(and at the time secret) ground cameras. However the results were not detailed enough to 
make a judgment on the status of the tiles. Next, the KH-11 spy satellite was used and 
pictures of sufficient quality to assure no large section of the tiles were missing. 


D. INVESTIGATION OF THE COLUMBIA ACCIDENT 
1. Overview 

The Columbia Accident Investigation Board (CAIB) determined: 

The physical cause of the loss of Columbia and its crew was a breach in 
the Thermal Protection System on the leading edge of the left wing. The 
breach was initiated by a piece of insulating foam that separated from the 
left bipod ramp of the External Tank and struck the wing in the vicinity of 
the lower half of Rein-forced Carbon-Carbon panel 8 at 81.9 seconds after 
launch. During re-entry, this breach in the Thermal Protection System 
allowed superheated air to penetrate the leading-edge insulation and 
progressively melt the aluminum structure of the left wing, resulting in a 
weakening of the structure until increasing aerodynamic forces caused loss 
of control, failure of the wing, and breakup of the Orbiter. 51 

Throughout the report, the CAIB had many findings and recommendations 
relating to both the physical cause of the accident and the causal factors that allowed the 
errors and bad decisions to be made. Of the twenty-nine recommendations made, all but 
six of them were directly related to the physical cause of the accident, although the 
majority of the report was dedicated to discussion of these causal factors. As with the 
Rogers Commission, the CAIB determined that substantial changes must occur within the 
NASA organization and culture if future accidents are to be prevented. The following 
sections will discuss the casual factors of the Columbia accident that were discussed in 
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the Board’s report. The relationship to the causes discussed in the Challenger section 
will be explored. It should be noted that the reason why many of the causes discussed in 
the Challenger section were also included in the Columbia report may be because Diane 
Vaughan was a researcher assigned to the CAIB staff. Further analysis of the 
relationship of the Challenger and Columbia accidents and their causal factors will be 
discussed in the analysis section of this report. 

2. Contributing Causes of the Columbia Accident 

Like the Rogers Commission, the CAIB placed much of the blame for the 
Columbia accident on the culture that exists at NASA. “By the eve of the Columbia 
accident, institutional practices that were in effect at the time of the Challenger accident 
- such as inadequate concern over deviations from expected performance, a silent safety 
program, and schedule pressure - had returned to NASA.” 52 It is important to understand 
how this culture has evolved over the lifetime of the NASA organization. NASA’s early 
days had lofty goals set by Presidents, and they were provided budgets to meet these 
goals. NASA developed a can-do attitude and had great successes during the Apollo era. 
However, as the nations priorities shifted, the budgets NASA was granted did not match 
the goals they were given. Fueled by their early successes, NASA’s belief that they were 
the only organization that could execute the human space flight programs led them to 
reject many of the criticisms and recommendations that resulted from the various panels 
and reviews of their organization, including the Rogers Commission. However, although 
the culture was not changing, the organization was changing. 

Feeling pressure from budget cuts with little cuts in the scope of responsibilities 
and programs they were expected to perform, NASA began to rely more on outsourcing 
to contractors. This organization change required modifying the safety oversight and 
communication necessary to have programs as successful as the Apollo programs. 
Instead of concentrating on improving the safety and managerial aspects of the space 
program as recommended by various commissions, NASA tried to do more with less, 
adopting the motto “Faster, better, cheaper.” The space shuttle program has had huge 
budget cuts, while the shuttle has become more expensive to operate and is critical for the 
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construction of the International Space Station (ISS). Although NASA’s overall budget 
decreased by thirteen percent, the shuttle budget decreased by approximately forty 
percent over the last decade. 53 

Between 1991 and 1994, Shuttle operating costs were cut by twenty-one 
percent. 54 In 1996, the Space Shuttle Program management was moved back to Johnson 
Space Center, as it was before the Challenger accident. The Space Flight Operations 
contract was signed, and United Space Alliance took over 61 percent of outsourced 
Shuttle operations contracts, including safety and various inspections. 55 The savings 
expected from these contracts have not been realized; however, the impacts to the 
downsized civil service workforce and safety programs have increased the risk of 
operating the Shuttle. NASA attempted to change some aspects of their organization to 
better manage this new structure, but the budget cuts did not allow for proper oversight, 
and the contractor was relied upon often without being checked by government 
representatives. In addition, the contract had cost reduction incentives in an attempt to 
force the contractor to be more efficient, but these savings were often achieved at the 
expense of safety improvements, and did not allow for proper study and correction of 
anomalies that would occur on virtually every mission. 

Only three years after the Challenger disaster, NASA started reverting to the 
ways that the Rogers Commission attempted to improve. With the leadership back in 
Johnson and out of the Washington headquarters, and the contractors having more 
responsibility, there were many inside NASA who were concerned about this new 
organization. 

The organizational was further complicated by the separation of the orbiter from 
the rest of the system. The integration office was not responsible for the orbiter, and as a 
result, labeled foam loss as a lower-level problem than it should have been. “The 
Integration office did not have continuous responsibility to integrate responses to bipod 
foam shedding from various offices. Sometimes the Orbiter Office had responsibility, 

sometimes the External Tank Office at Marshall Space Flight Center had responsibility, 
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and sometime the bipod shedding did not result in any designation of an In-Flight 
Anomaly. Integration did not occur.” 56 To correct this, CAIB recommendation R7.5-3 
would make the integration office responsible for the entire system, including the orbiter. 

In 2001, Sean O’Keefe became Administrator of NASA, and he moved Space 
Shuttle Program management back to Headquarters in Washington, DC. The budgets for 
the Space Shuttle began to increase around this time, as NASA and Congress realized 
that a Shuttle replacement was not on the horizon, and the Shuttle infrastructure which 
was so neglected in the 1990’s would be operating possibly through 2020, and would be 
relied upon to build and maintain the ISS. “A decade of downsizing and budget 
tightening has left NASA exploring the universe with a less experienced staff and older 
equipment.” 57 Although NASA had various proposals for a new space vehicle, none had 
ever gained enough acceptance to be funded to necessary levels to make them a reality. 
These initiatives included the National Aerospace Plane in the late 1980’s, VentureStar in 
the 1990’s, and the Space Launch Initiative from 2000 to 2002. Although billions of 
dollars had been spent exploring these options, none seemed feasible replacements to the 
Shuttle. The Orbital Space Plane is a more recent initiative intended only to complement 
the shuttle by carrying personnel to the ISS. Although nothing substantial came from 
these projects, they did take money from the Space Shuttle, since Shuttle upgrades were 
delayed in anticipation of a replacement soon being developed. With the Shuttle life 
expected to extend well into 2020, some money was finally invested in long needed 
upgrades, however it may have been too little too late. 

With no replacement on the horizon, the space shuttle was experiencing flight 
schedule pressures, specifically driven by construction of the International Space Station. 
Although the Columbia mission was not directly related to the ISS, the timing of the 
launch could not be delayed because the Columbia was scheduled to be modified to 
support future ISS missions. These modifications would be done immediately after the 
STS-107 mission. Any delay in STS-107 would have repercussions for future ISS 
missions. Schedule pressures limit the time that can be spent to analyze problems and 
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find solutions, and result in increased risk for each flight. The CAIB recommendation 
R6.2-1 instructs NASA to “Adopt and maintain a Shuttle flight schedule that is consistent 
with available resources.” 58 

3. Managing the Risk of Foam Loss 

Like the days leading up to the final launch of the Challenger , the manner in 
which NASA made decisions and managed the risks in the Shuttle program was likely the 
most important factor leading to the loss of the Columbia. The STS-107 mission was not 
the first flight to lose foam from the main fuel tank. Visual evidence of foam loss can be 
seen on over ten percent of Shuttle flights, although it is believed that the majority of 
missions had some amount of foam loss during launch. In addition, every launch has 
sustained some amount of damage due to debris striking the orbiter, and has had to been 
repaired as part of the turnaround process. NASA was not able to learn from the studies 
done after the Challenger accident that discuss the agency’s tendency to accept risk as 
well as deviances from specifications and expected outcomes based on previous 
successes, regardless of the predicted probability of these results. 

With the frequencies at which foam was lost, and debris struck the orbiter 
throughout the history of the Shuttle program, how is it possible that NASA could ignore 
this known problem for all those years? This happed even while NASA was claiming to 
have improved their safety program after the Challenger , and while an outstanding action 
concerning significant foam loss from two missions before the Columbia launch was left 
open, without resolution, while NASA continued to launch shuttles. One of the original 
requirements for the Space Shuttle System was that there should be no shedding of ice or 
other debris during pre-launch and flight. As a result of this requirement, the orbiter was 
allowed to be designed with a fragile thermal protection system, with minimal 
requirements to withstand any debris strikes. With this in mind, NASA engineers were 
very concerned when after the first shuttle flight; the Columbia needed over three 
hundred tiles replaced because of the debris it encountered during launch. Bipod foam 
loss was first observed in 1983 on the Challenger. This was flagged as an anomaly that 
needed to be resolved before the shuttle could be launched again. This anomaly was 
closed based on the repairs to the Orbiter’s thermal protection system, but the real 
58 Columbia Accident Investigation Board, p. 139. 
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problem, the shedding of foam insulation during launch, was never addressed. Other 
foam loss discovered by the CAIB was never addressed because NASA’s review of the 
film was not adequate to discover this was happening and report it as a flight anomaly. 
Ironically, the problem of foam loss and Orbiter damage was brought up during the 
Challenger accident investigation by the Rogers Commission 59 , but still no action was 
taken to modify the foam to eliminate shedding, or to improve the Orbiter’s resistance to 
this damage. Additionally, post -Challenger analyses indicated that one of the concerns 
that were expressed about the cold weather faced by Challenger was the possibility of ice 
shedding from the external tank. An Ice Team was sent to make certain that “frost on the 
tank was not so thick that chunks that fell during the blasting roar of lift-off would 
damage the Orbiter’s fragile tiles on impact.’’ 60 This tends to indicate that the technical 
community would take measures to avoid debris shedding due to ice, but that they had 
come to accept the foam shedding and any risk that resulted from it. 

NASA did not act on the foam problem because they treated it as only a 
maintenance issue, adding time to repair Orbiters before they could be launched again. 
“With each successful landing, it appears that NASA engineers and managers 
increasingly regarded the foam-shedding as inevitable, and as either unlikely to 
jeopardize safety or simply an acceptable risk. The distinction between foam loss and 
debris events also appears to have become blurred. NASA and contractor personnel 
came to view foam strikes not as a safety of flight issue, but rather a simple maintenance, 
or “turnaround” issue.” 61 Foam loss was again flagged as a problem after STS 112, two 
missions before the Columbia's final launch. An Integrated Hazard Report (IHR) was 
generated because of the significant size and damage caused during this flight. NASA 
continued flying the shuttles despite this outstanding hazard report. 

NASA seems to equate previous success with low risk or robustness of design. 
The foam loss IHR was not considered significant enough to delay Columbia 's STS-107 
mission because STS-113 had already been successfully flown prior to determining the 
root cause of the foam loss and recommending corrective action, as required to close the 
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hazard report. During the STS-113 Flight Readiness Review, the rational for launching 
without resolving the foam IHR was also based on past performance; foam loss was 
never before considered a Safety of Flight issue, and no orbiter had ever been damaged 
enough to create a safety of flight issue. Given this past success, it was concluded that 
the shuttle was “safe to fly with no new concerns (and no new risk).” 62 In an example of 
continued acceptance of risk and normalization of deviance that was cited as crucial in 
the Challenger accident, “With no engineering analysis, Shuttle managers used past 
success as justification for future flights.” 63 The open IHR was of such little significance 
during the preparations for Columbia'’ s flight, it was not even mentioned in the Flight 
Readiness Review documentation. If having a better review of open issues did not 
convince management there was sufficient reason to prevent the launch of STS-107, it 
might have at least raised the awareness of the issue and resulted in a better effort to 
determine the possible damage to the orbiter after the foam loss was discovered after 
launch. 

As previously discussed within the Challenger analysis, NASA again displayed a 
tendency to practice “normalization of deviance,” or acceptance or risk based on past 
successes. More specifically, the management of the risk associated with foam loss was 
pointed out during the Rogers Commission investigation by Shuttle Program Manager 
Arnold Aldrich. 64 NASA’s tendency of accepting risk based on success was also 
discussed in a report in March of 2000 by a Shuttle Independent Assessment Team 
(SAIT) which was set up to review NASA’s recent “close calls.” “The SIAT was 
concerned with ‘success-engendered’ safety optimism ... The SSP must rigorously guard 
against the tendency to accept risk solely because of prior success.” 65 Not only does 
NASA practice this normalization of deviance regularly, but this has been repeatedly 
pointed out to them, and they have not changed their ways. Given this, one starts to 
question if NASA is really an organization that is capable of changing their culture. 
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4. Organizational and Cultural Causes 

When causal chains are limited to technical flaws and individual failures, 
the ensuing responses aimed at preventing a similar event in the future are 
equally limited: they aim to fix the technical problem and replace or 
retrain the individual responsible. Such corrections lead to a misguided 
and potentially disastrous belief that the underlying problem has been 
solved. 66 

The Rogers Commission recognized this, and included the many organizational changes 
recommended in the previous discussions. However, when the CAIB started their review 
of NASA’s organization, they found it had not changed substantially from what existed at 
the time of the Challenger accident. 

The Columbia accident resulted from a series of decisions made by NASA 
management, similar to the decisions that led up to Challenger 's final flight. The foam 
loss and impact with the orbiter was noticed by the Intercenter Photo Working Group the 
day after Columbia was launched. However, the extent of any damage resulting from this 
event could not be determined from the available pictures. A group was formed to 
investigate the potential implications of this strike. The group became known as the 
Debris Assessment Team, instead of a true “Tiger Team” which according to NASA 
procedures, should have been established and given clear roles and responsibilities. This 
was one of the many times that NASA failed to follow their own established procedures, 
creating additional confusion with respect to communication lines and reporting 
requirements. Without having the charter of a true tiger team, the debris assessment team 
did not have the guidance or the authority to effectively complete their analysis, and did 
not have the correct forum in which to present their findings. Instead of waiting for the 
results from the Debris Assessment Team, who was the right group to assemble the 
necessary data to make an informed engineering judgment as to the effect the foam strike 
would have had on the orbiter, NASA management relied on early, incomplete 
assessments from area experts and had already begun to believe that it was unlikely that 
the debris strike could cause any significant damage to the orbiter. Given this incorrect 
assessment, and previous successful flights with debris strikes, it was easy for 
management to give the debris strike analysis a low priority and low risk, and also deny 
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any requests for imaging to further assess damage from the strike. The Intercenter Photo 
Working Group was the first to request that satellite imaging be used to get a view of the 
orbiter to help assess any damage that may have occurred. This request was not acted 
upon, even though the use of satellite imagery had been demonstrated as successful in 
photographing thermal tiles for damage going all the way back to the first Challenger 
flight. 67 

After further analysis of the foam loss, the size of the piece that separated from 
the tank and impacted the orbiter was able to be estimated. This was used as input to a 
computer program called Crater, which predicts damage to the thermal protection system. 
Although the size of the debris was larger than those which the Crater algorithms had 
been developed to evaluate, the tool was the best prediction model available and was 
used for this analysis. The Crater analysis predicted that the Thermal Protection System 
might have been damaged to a point where the aluminum frame would be exposed to the 
severe reentry heat. Although this should have alerted NASA management that this was 
a potentially catastrophic problem, it was dismissed because Crater was thought to be a 
very conservative tool, the exact location of the debris strike was not known, and experts 
had convinced the management that there would be no concern of breach of the thermal 
protection system. It was likely that the strike could have stuck a location that would 
survive such an impact. Management continued to believe that the impact was similar to 
what was experienced in previous missions, and was not expected to be an issue to be 
concerned with since there was no problems with these earlier events. To support this 
conclusion, management requested more research into “what rationale had been used to 
fly after External Tank foam losses on STS-87 and STS-112.” 68 This would not only 
support the premature conclusion they were looking for, but would assist in the allowing 
future flights to be launched after this event. Management also believed that increasing 
the estimated risk of potential impacts from foam loss would have contradicted previous 
decisions made by the very same group. It would mean that management would have to 
admit that they might have been wrong or underestimated the foam loss problem in the 
past. 
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Continuing to work without a strict charter or empowerment by the NASA 
hierarchy, the Debris Assessment Team continued to review the event, and determined 
that in order to make an informed decision as to the potential damage from the foam, any 
in-orbit imagery they could obtain would greatly assist in this analysis. Not being very 
familiar with Department of Defense (DoD) imaging capabilities, and not having a clear 
communication path to upper management or departments who may have been more 
familiar with such requests, the attempts by the team to obtain such imaging were 
confused and eventually denied by NASA management. The team made one final 
attempt to obtain the requested imaging through the engineering directorate instead of the 
usual mission chain of command. Again, because of the confusion in the communication 
protocols and chains of command responsible for this group, the request was thought to 
be more of an engineering desire than a mission need, and it was again denied. 
Management denied the request because there was not a “requirement” to get the 
imagery, and they could not immediately determine from where the request originated. 
Had the Debris Assessment Team had more of an official charter and chain of command, 
the origins of the imagery request would have been better understood and may have been 
fulfilled. Another reason given by management as to why the request was denied was a 
belief that nothing could be done if there the imagery did detect that something was 
noticeably wrong with the orbiter. Since the Debris Assessment Team did not understand 
that the management’s denial to image the orbiter was not a direct response to their 
request, they assumed it was and attempted to determine if their request was a mandatory 
requirement, without truly understanding what that meant. “Analysts on the Debris 
Assessment Team were in the unenviable position of wanting images to more accurately 
assess damage while simultaneously needing to prove to Program managers, as a result of 
their assessment, that there was a need for images in the first place.” 69 

Four factors lead to NASA’s belief that the Columbia was not in danger from the 
foam impact seen in the launch photographs: 

1. the Debris Assessment Team was not properly empowered to perform the 
analysis task, and detrimental communication problems resulted. 
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2. the analysis of the strike was based on the results of a tool not fully 
appropriate for this application, and its results were not believed, 

3. Shuttle management had a pre-determined opinion that foam strikes were low 
risk, mostly based on past performance, and 

4. the safety representatives did not perform an independent analysis, and did not 
question the assumptions of the analysis, or notice that the actions of 
management was requiring the engineers to demonstrate that the system was 
unsafe, instead of requiring them to prove it was safe, and giving them all the 
tools to assist them in this assessment. 

The CAIB made some interesting observations concerning the communication 
problems between management and the engineering communities. “Managers tendency 
to accept opinions that agree with their own dams the flow of effective 
communications.” 70 Managers did not seem to understand that as leaders they had a 
corresponding and perhaps greater obligation to create viable routes for the engineering 
community to express their views and receive information. This barrier to 
communications not only blocked the flow of information to mangers, but it also 
prevented the down stream flow of information from managers to engineers, leaving 
Debris Assessment Team members no basis for understanding the reasoning behind 
Mission Management Team decisions.” 71 The importance of communication is often 
assumed to be understood, and management will show how under normal circumstances 
they effectively communicate with their people. However, when there are critical 
decisions to be made in a timely manner, management often attempts to quickly gather 
limited information and make a decision without much explanation. This may possibly 
be the most important time to communicate the rational behind critical decisions, but 
partially because of time constraints and so management can move on to other important 
issues, it is seldom done. Many managers do not believe that they need to answer to the 
people who support them, but contrary to their belief, these people are often more 
informed than they are, and have valuable insights that are often overlooked or simplified 
when information makes it to a management level. A manager asking their technical 
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community to critique their decision logic may be a very enlightening experience, where 
the manager can leam much, and also the technical community will also have a forum to 
express their related knowledge and any concerns. One could even envision an electronic 
bulletin board system where various levels of responses could be made to decisions, and 
when the assumptions used to make a critical decision are incorrect, this could be quickly 
corrected and the decision re-evaluated using better information. The biggest mistake of 
the Missions Management was that it did not seek the information necessary to make the 
decisions they made. They did not determine who was seeking the imaging requests and 
more importantly why, they did not require that a better analysis tool be used to assess 
the damage, they did not actively engage the Debris Assessment Team and listen to their 
concerns, and they did not look for options as to what could be done to mitigate risk of 
bum-up on reentry if there was damage to the orbiter. 

The lack of an effective communication structure is damaging to any 
organization, but when lives are at stake like at NASA, it can be truly detrimental. 
Information must be available to the decision makers in the organization, as well as to the 
people who are affected by those decisions. A way to pass additional information to 
someone who has made an incorrect decision or one that was based on misguided 
assumptions is also needed. An effective communication structure was not present in 
NASA at the time of the Columbia accident. “Program leaders spent at least as much 
time making sure hierarchical rules and processes were followed as they did trying to 
establish why anyone would want a picture of the Orbiter.” 72 Had the Mission managers 
better understood this request, there might have been a chance of doing something about 
the damage to the orbiter. One of the problems with the way information is passed 
through the NASA chain of command is the extensive use of viewgraphs. Simplifying 
information to fit it on a viewgraph eliminates many details that may be critical to the 
decision being made, and can diminish the importance of critical problems. In addition, 
management were not accustomed to seek the minority opinion in order to better 
understand the options and other views which could impact the decision being made. 
Seeking this alternative information also fosters a culture where it is acceptable to have 
an opinion that differs from the majority, or the way things were done in the past. If 
72 Columbia Accident Investigation Board, p. 181. 
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Missions management prompted a debate over whether the shuttle was safe, or if it would 
be useful to have the pictures of Columbia , or what could be done if the orbiter was 
damaged, the outcome of the Columbia may have been more like Apollo 13 instead of 
Challenger. 

The CAIB recommendation 6.3-1 directly relates to the communication problems 
between contractors, NASA engineers, and management. A training program should be 
set up for the Mission Management Team to face safety contingencies involving potential 
loss of the Shuttle or crew, and “assemble and interact with support organizations across 
NASA/Contractor lines and in various locations.” 73 

5. NASA’s Safety Program 

NASA claimed to have a safety program that was actively involved, risk-averse, 
and empowered to stop any operations if an employee felt there was a safety problem. 
Contrary to this internal belief, the CAIB found the safety program was not acting as 
NASA described and presented to the CAIB. The safety office was still reliant on 
funding from the programs they supported, instead of being truly independent as 
recommended by the Rogers Commissions. The process that the safety office was forced 
to operate under effectively neutered their power to independently monitor and effect the 
shuttle operations. “NASA’s safety culture has become reactive, complacent, and 
dominated by unjustified optimism. Overtime, slowly and unintentionally, independent 
checks and balances intended to increase safety have been eroded in favor of detailed 
processes that produce massive amounts of data and unwarranted consensus, but little 
effective communication.” 74 
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The safety organization within NASA was not independent, and there were often 
people who were responsible for multiple roles within the organization that had 
conflicting interests. The safety office was not organized in a way that would provide for 
one single person to be fully responsible for Shuttle mission’s safety, and to provide an 
integrated view of the safety of the overall program (see Figure 1). In addition to being 
organizationally linked to the shuttle missions, the safety office is funded by the 
programs they support. Thus, a program only gets as much safety oversight as they have 
money for, and if the budget gets cut, the safety function is likely to take as much of a cut 
as any other part of the program. In addition, since the program money is paying for their 
safety review, the safety efforts will be further influenced by schedule pressures, since 
not meeting schedule will eventually affect funding levels, or risk cancellation of the 
program. Since the funding for safety was constantly being reduced through NASA’s 
75 Columbia Accident Investigation Board, p. 185. 
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various reorganizations, independent analysis by the safety group was often not 
completed, and they had to rely on the technical analysis done by other engineering 
groups working on the program. The CAIB recommendation R7.5-2 directly addresses 
the safety office’s authority and budgeting; stating that “NASA Headquarters Office of 
Safety and Mission Assurance should have direct line authority over the entire Space 
Shuttle Program safety organization and should be independently resourced.” 76 

The Shuttle program used various databases to track problems. These databases 
were separate, and were not easily queried to get information worthy of assisting in any 
decision making process. The databases tracking critical items, waivers, and hazard 
reports could have helped the safety office better understand the risk associated with 
shuttle missions or other problems, but their complexity prohibited their use as a risk 
analysis tool. Had these tools been better integrated or more accessible, the safety 
reviewers might have been more likely to press management to defend their decision to 
go forward with the STS-113 and Columbia missions, even though there was an 
outstanding issue relating to foam loss from STS-112 which had not been answered. 
They might also have been more likely to determine the true flight risk based on a 
historical tracking of various anomalies and items that were not meeting the original 
design requirement. As additional critical requirements were waived based on past 
performance, a better trend analysis of the anomaly database would have helped to 
compile the continuing trend of assuming more risk as the program progressed. The 
CAIB made the lengthy recommendation R7.5-1 to “Establish an independent Technical 
Engineering Authority that is responsible for technical requirements and all waivers to 
them, and will build a disciplined, systematic approach to identifying, analyzing, and 
controlling hazards throughout the life cycle of the Shuttle System.” 77 The 
recommendation goes on to discuss the tasks the technical engineering authority will 
perform, which include being the sole waiver-granting authority, conducting trend and 
risk analysis and their reporting systems, verify launch readiness, and approve the re¬ 
certification program. Further, the CAIB recommendation R9.1-1 requires NASA to 
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report to Congress the status of the activities required to prepare a plan and to implement 
this new authority, as well as the independent safety office and reorganized integration 
office. 

The safety representatives must also have input and insight into all critical 
decisions, and they should always ensure that it must be proven that the mission is safe, 
not the other way around as was the case for both the Columbia and the Challenger. 

Problems with NASA’s safety organization were pointed out in various reviews. 
Congress mandated that NASA create separate safety and reliability offices after the 1967 
fire aboard the Apollo 1 test capsule, which resulted in the loss of three astronauts, 
including Virgil I. “Gus” Grissom, . However, these offices were not independent 
because their funding was still linked to the programs they supported. After the 
Challenger accident in 1986, the Rogers Commission noted that NASA did not have an 
independent safety program. The Associate Administrator heading the new Safety office 
created in response to this recommendation was not truly independent, because the safety 
activities were still funded by the programs they supported. The safety office’s lack of 
independence was again pointed out by a Government Accountability Office (GAO) 
report in 1990, where it was recommended implementing centralized funding for safety. 
Again in 1999, the Shuttle Independent Assessment Team (SIAT) and the Integrated 
Action Team established to act on the recommendations of that team, both found that the 
safety culture at NASA was being eroded, increasingly so because of the new contract 
structure recently adopted and the better, faster, cheaper philosophy. “The Shuttle 
Independent Assessment Team and NASA Integrated Action Team findings mirror those 
presented by the Rogers Commission. The same communication problems persisted in 
the Space Shuttle Program at the time of the Columbia accident.” 78 The Space Shuttle 
Competitive Source Task Force in 2002 again pointed out this issue stating that in 
addition to the safety office not being independent, it does not have the authority to halt a 
mission if they feel there is a safety concern. The safety has always really been left up to 


78 Columbia Accident Investigation Board, p. 179. 
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the programs to determine how much safety they needed, or could afford, and this was 
not changed despite all the warnings from outside agencies warning that this was a 
problem throughout NASA’s history. 

As Senator Ernest “Fritz” Hollings (D-S.C.) remarked during a Senate Commerce 
Committee hearing on the results of the CAIB’s report on the Columbia accident, 
“There’s no education in the second kick of a mule. I’m hearing the same things I 
listened to seventeen years ago.” 79 


79 B. Berger, "Lawmakers Press O’Keefe For Cost Figures.” 3 September 2003. Space News Staff 
Writer, [http://www.space.com/news/nasa_hearing_030903.html], last accessed December 2003. Senator 
Hollings directed his remarks to NASA Administrator Sean O'Keefe, and ADM Harold Gehman (USN, 
ret), head of the Columbia Accident Investigation Board, during their testimony to the Senate Commerce, 
Science, and Transportation Committee. 
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IV. ANALYSIS OF FINDINGS 


A. QUESTION ONE 

After reviewing the two investigative reports produced after the two space shuttle 
accidents, the analysis obviously starts by making comparisons between the two, 
especially in their final recommendations (listed in their entirety in Appendix A). 
Specifically, we pose the following questions: 

What similarities and differences exist when comparing the recommendations 
made by both commissions? Are there any recommendations from the Challenger 
investigation that if properly implemented, could have affected the issues leading to the 
Columbia accident? Are there any recommendations from the CAIB that could have 
been identified by the Challenger investigation? For any recommendations that were 
made by both commissions, is it expected that the post Columbia NASA can implement 
the recommendation more effectively? 

In many ways, the two shuttle accidents resulted from the same failures in the 
NASA organization. The recommendations concerning the NASA organization and 
culture made by the CAIB were very similar to the recommendation made eleven years 
previously by the Rogers Commission. Specifically, both included recommendations 
dealing with flight schedule pressures, the management structure, and the safety program. 
This point was not missed by those familiar with both investigations, and the 
congressional comities who reviewed their work. 

1. Flight Rate 

The Rogers Commission Recommendation VIII and CAIB recommendation 6.2-1 
both deal with the shuttle flight rate and are virtually identical. The Rogers Commission 
recommendation VIII reads: 

Flight Rate. The nation's reliance on the Shuttle as its principal space 
launch capability created a relentless pressure on NASA to increase the 
flight rate. Such reliance on a single launch capability should be avoided 
in the future. 

NASA must establish a flight rate that is consistent with its resources. A 
firm payload assignment policy should be established. The policy should 
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include rigorous controls on cargo manifest changes to limit the pressures 
such changes exert on schedules and crew training. 50 

The CAIB recommendation R6.2-1 reads: 

Adopt and maintain a Shuttle flight schedule that is consistent with 
available resources. Although schedule deadlines are an important 
management tool, those deadlines must be regularly evaluated to ensure 
that any additional risk incurred to meet the schedule is recognized, 
understood, and acceptable. 5i 

The similarities here are obvious, with one line of the CAIB recommendation a 
virtual quote of the Rogers Commission recommendation. Although this was a 
significant topic repeated by both investigations, it is unlikely that this alone could have 
changed the outcome of the Columbia. The NASA budget is controlled by Congress, 
with an annual budget process, however NASA projects and programs require several 
years, or even decades, to complete. Although NASA needs to assess budgetary changes, 
and evaluate the risk associated with changes to the programs, it is unlikely that NASA 
will be able to drastically alter their project plans annually. In addition, it is hard to 
imagine that a risk assessment of the Columbia launch pressures would have influenced 
the decisions surrounding that mission. Schedule pressures may have been more of a 
factor for the Challenger launch, as the schedule ultimately was what forced them to 
launch in such cold temperatures. Had the schedule been more flexible, the launch could 
have been delayed and that particular mission may have been saved. However, there was 
still a reoccurring problem with the O-ring design, which was not meeting the 
requirements. As a result, the extreme cold on the day of the Challenger launch may 
have only increased the risk of a problem that was bound to happen at some point. 
Although both the Rogers Commission and the CAIB found that schedule pressures did 
contribute to the accidents and therefore included this important recommendation in their 
reports, these recommendations alone are unlikely to correct the primary organizational 
problem and prevent future accidents. In fact, NASA sent out invitations to bid on the 


80 Presidential Commission on the Space Shuttle Challenger Accident, p. 201. 

81 Columbia Accident Investigation Board, p. 226. 
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shuttle operations program to United Airlines and American Airlines 82 ; an indication of 
the level of maturity that NASA felt had been reached in the shuttle program. 

2. Organizational Structure 

The management and safety structures are somewhat related and are included in 
recommendations from both committees. Both management and safety must have an 
overarching perspective of the shuttle program. The Rogers Commission 
recommendation II as well as the CAIB recommendation 7.5-3 deal with similar issues, 
but in somewhat different ways. Rogers recommendation II states, “A redefinition of the 
Program Manager's responsibility is essential. This redefinition should give the Program 
Manager the requisite authority for all ongoing STS operations. Program funding and all 
Shuttle Program work at the centers should be placed clearly under the Program 
Manager's authority.” 83 The CAIB recommendation R7.5-3 is similar but deals not 
directly with the management of the shuttle program, but with the technical side of the 
problem, the integration office. It states, “Reorganize the Space Shuttle Integration 
Office to make it capable of integrating all elements of the Space Shuttle Program, 
including the Orbiter.” 84 The integration office needs to be at an organizational level 
above all of the components they are integrating, so that no single component, like the 
orbiter, is in a different structure to report information, and all components must report to 
the Integration Control Board. This might have been closer to what the Rogers 
Commission was trying to achieve with their management structure recommendation. 
They were specifically trying to deal with funding and oversight, but with this it may 
have been assumed that better organized technical expertise would follow. However, a 
different management organization does not necessarily change the way technical 
decisions are made, as was demonstrated with the Columbia accident. Program 
Managers typically have incentives to achieve schedule milestones, and this can easily be 
measured as the schedule date come to pass. However, a Program Manager should also 


82 Email correspondence from ADM (Ret) Donald Eaton, 10 February 2006. 

83 Presidential Commission on the Space Shuttle Challenger Accident, p. 199. 

84 Columbia Accident Investigation Board, p.227. 
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have some incentive components relating to safety and quality. These aspects may be 
more difficult to judge success in order to reward a job well done, but failure can result in 
catastrophic events. 

The new management structure put in place after the Challenger accident did not 
significantly change how the shuttle components were being integrated, and did not 
establish technical group directly responsible for the top-level integration of the shuttle 
sub-systems and their requirements. Had the new overarching management structure 
implemented teams with high levels technical oversight, it might have been possible to 
flag the reoccurring foam loss problem as a more significant risk than a simple in-flight 
anomaly. In addition, many of the changes in the management organization put in place 
after the Challenger accident were undone later years due to changes in leadership and in 
an effort to be more efficient given the declining budget environment. Therefore, 
although similar, the CAIB recommendation stresses the importance of the organization 
of the integration office and their responsibilities, which should have a greater impact to 
future missions. 

3. Safety Programs 

Both committees make recommendations for an independent and adequately 
funded safety program. If the Rogers Commission recommendation II, which addresses 
the safety organization with respect to the central management structure, was adequately 
addressed by NASA, it could have had some impact on the Columbia accident. 
However, the Rogers Commission directly addresses their concerns with the safety 
program in recommendation IV which states: 

NASA should establish an Office of Safety, Reliability and Quality 
Assurance to be headed by an Associate administrator, reporting directly 
to the NASA Administrator. It would have direct authority for safety, 
reliability, and quality assurance throughout the agency. The office should 
be assigned the work force to ensure adequate oversight of its functions 
and should be independent of other NASA functional and program 
responsibilities' 55 . 


^ 5 Presidential Commission on the Space Shuttle Challenger Accident, p. 200. 
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The CAIB has a very similar recommendation, R7.5-2 which states “NASA 
Headquarters Office of Safety and Mission Assurance should have direct line authority 
over the entire Space Shuttle Program safety organization and should be independently 
resourced.” 86 

The Columbia accident resulted from one sub-system, the external fuel tank foam 
insulation, influencing the performance of another shuttle sub-system, the orbiter. If the 
management structure was different, and the safety community reorganized with more 
authority, it might have influenced the Columbia by changing the assessment of the 
reoccurring foam loss problem. An adequately funded safety program could have had the 
recourses necessary to determine the frequency of the foam loss problem through trend 
analysis. However, there is a limited amount of funding for the safety programs, and it is 
a difficult balance that has to be made to provide adequate safety analysis within the 
programs funding constraints. Since there is never enough money to do everything, it is 
necessary to rank the severity of problems, to ensure the highest risk items are dealt with, 
and as many of the lower level issues are addressed as possible. Unfortunately, the 
ranking can be incorrect, and this may be discovered only when it is too late. In the years 
following the Challenger accident, NASA seemed to revert to the “prove it is unsafe” 
vice “prove it is safe” mentality in their management decisions. Had the safety office 
been given enough authority to check management decisions and made sure that NASA 
was not reverting to this dangerous practice, the foam loss problem may have been better 
analyzed and a proper risk assessment been made of the dangers to the reentry of the 
orbiter. 

In addition to recommending an independent safety program, the CAIB went a 
step further with the addition of a Technical Engineering Authority. As stated in CAIB 
recommendation R7.5-1: 

Establish an independent Technical Engineering Authority that is 
responsible for technical requirements and all waivers to them, and will 
build a disciplined, systematic approach to identifying, analyzing, and 
controlling hazards throughout the life cycle of the Shuttle System. The 
independent technical authority does the following as a minimum: 

86 Columbia Accident Investigation Board, p. 227. 
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• Develop and maintain technical standards for all Space Shuttle 
Program projects and elements 

• Be the sole waiver-granting authority for all technical standards 

• Conduct trend and risk analysis at the sub-system, system, and 
enterprise levels 

• Own the failure mode, effects analysis and hazard reporting 
systems 

• Conduct integrated hazard analysis 

• Decide what is and is not an anomalous event 

• Independently verify launch readiness 

• Approve the provisions of the re-certification program called for in 
Recommendation R9.1 -1. 

The Technical Engineering Authority should be funded directly from 

NASA Headquarters, and should have no connection to or responsibility 

for schedule or program cost. 87 

This may be the additional recommendation that could make the difference in the 
post Columbia NASA that did not seem to happen in the post Challenger NASA. The 
physical causes of both accidents were problems that were happening in a non- 
catastrophic way before the accident, and were deviations from specifications. In 
retrospect it appears that the data existed to indicate either erosion of the design margin, 
or a minimal margin, but that data was not adequately assessed. The o-ring joints were 
failing but it was believed there was a backup ring, so the out of spec part was not 
quickly investigated and fixed. Damage from foam hitting tiles happened on almost 
every flight, and although there was a requirement for this not to happen, it was accepted 
and treated as a maintenance issue. This new technical authority, along with an 
independent safety community, may have made different decisions regarding the failing 
o-rings or foam loss problem, or would likely have input into the requests to photograph 
the Columbia in orbit to assess possible damage before attempting re-entry. 

Procedures and databases are essential for complex systems. Before a mission or 
upgrade, it should be easy to determine the outstanding issues (like the foam loss hazard 
report that was ignored) and ensure all testing is complete. This recommendation should 

Columbia Accident Investigation Board, p. 227. 
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eliminate the practice of the delta approach to readiness reviews. This delta approach, as 
discussed in the data section, allowed only new problems to be discussed in a flight 
readiness review, while any problem that had been seen before and determined within 
acceptable risk was from then on ignored. Presuming it is adequately resourced, this new 
technical engineering authority will be performing trend analysis and risk assessments 
that should show when a problem is not going away, or is not being fixed. 

However, this new organization cannot exist and properly execute their task 
without a change in NASA’s cultural acceptance of risk. The Rogers Commission asserts 
that a management system that emphasizes safety would have flagged the rising doubts 
about the SRM joint seal. However if the culture is such that the lack of action to reduce 
the risk becomes acceptable, the working level motivation for continued pressure on 
safety is impacted. NASA must strive to be a learning organization, and determine root 
causes of problems. Over time, efforts should be made to change those causal factors as 
well as the specific issue. NASA must never revert to accept the premise that proof is 
needed to show it is unsafe before a mission is aborted. 

This recommendation could be the difference between the organizational 
recommendations of the Challenger that will make a difference in the future NASA. 
Giving a group independence and authority to halt a launch and assess all hazards and 
requirement waivers could be what NASA needs to make sure they do not slip back to 
their old culture. Hopefully this new authority will be set up as intended by the CAIB, 
and they will always require proof that it is safe, not proof that it is unsafe. 

B. QUESTION TWO 

Although the Rogers Commission viewed its mandate as quite broad, they 
specifically indicated in their report that they did not perform a detailed investigation of 
all aspects of the Space Shuttle program, such as budgetary matters or in areas that would 
supersede Congressional powers. No investigation can completely erase the future risk. 
However, given the magnitude of the analysis available following the Challenger 
accident it is beneficial to examine if the CAIB captured any of the causal factors. In 
light of factors that were identified by other researchers after the Rogers Commission 
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finished their investigation and the possibility that some of these factors were also 
important to the Columbia accident (including the findings of their preceding analysis), it 
is appropriate to ask: 

Are there factors, that neither investigation identified, that should be 
considered in helping to prevent future catastrophic occurrences in 
complex engineering development projects? 

While the Rogers Commission discussed design flaws that contributed directly to 
the Challenger accident, they did not identify other design issues that may have adversely 
impacted the future of the shuttle program, including those that may have played a role in 
the Columbia accident. There were several design modifications identified in the post- 
Challenger investigations that have gone unidentified by either commission that could 
continue to pose risk to the shuttle program but also serve as an example of pitfalls that 
could befall many complex engineering development projects. 

As discussed in the historical context discussion, the Space Shuttle started out as a 
two stage (booster-orbiter) design where both stages were to be piloted, reusable vehicles. 
However, even though this design offered lower life cycle cost, it had high R&D costs 
which became increasingly difficult to defend through the political and budget process. 
In this original design both the booster vehicle and the orbiter would operate using 
cryogenic-liquid propulsion systems which NASA had a great deal of experience and 
confidence in safety. In order to make the system more affordable, the booster design 
was changed to be only partially reusable with the expendable boosters changed to solid 
rockets thus avoid the high cost of designing liquid system plumbing that would survive 
water impact and permit turnaround for reuse. Further, the Commission did not identify 
questionable acquisition decisions to procure the SRBs from a land locked contractor 
which forced the SRB to be a segmented design as opposed to choosing a contractor who 
could have built the SRBs as a single unit avoiding the O-ring design entirely. 
McConnell presents a convincing case that politics not technical reasons led to the choice 
of Utah based Thiokol by Utah native NASA Administrator James Fletcher 88 . While the 
Rogers Commission identified flaws in the booster design, they did not go back in time 
further to question the design change that led to the boosters in the first place. Nor did 

88 McConnell, pp. 50-56. 
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they look at other changes made to the original design that may have led to other risks 
due to a sub-optimal design. It is likely that they viewed this as ‘water under the bridge’ 
but such an investigation may have given NASA information to update those items that 
perhaps should be reexamined going forward. 

Just as the Rogers Commission identified design flaws with the SRBs but did not 
investigate the underlying decision to use SRBs, the CAIB identified numerous issues 
with foam shedding from the external tank and tile damage, but did not investigate deeper 
design decisions that led to the current problem. Returning once again to the two stage 
piloted booster-orbiter concept we find that the original orbiter was to be a straight 
winged design and much smaller due to the fact that the booster contained engines 
powerful enough to avoid reliance on orbiter engines. It is this design for which the 
thermal protective tile design was originally intended. According to Trento this design 
was well suited for the application of tiles. 89 However in order to get buy in from the Air 
Force, critical for continuation of the program, the orbiter design had to be changed to 
meet the cross range requirement. It proved difficult to adapt the tile concept to the new 
delta wing concept with its complex curved surfaces. Further, the change from the 
booster vehicle to the external tank and SRBs also introduced the foam-shedding hazard 
that coupled with the fragile tiles led to the Columbia accident. 

This new design had an initial requirement for no shedding of foam which 
allowed the continued use of the thermal protection system; resulting in minimal 
requirements to withstand damage. The first flight of the shuttle resulted in great concern 
when it was determined that a large number of tiles needed to be replaced. However, as 
in the case of the Challenger , the continued success of the flights despite the 
acknowledgement of deviance was used by NASA as a way of showing the robustness of 
the design rather than an identification of a latent problem. There is a key lesson here for 
not only NASA but also other organizations managing complex engineering development 
projects. Data that indicates a sub-optimal design should not be misconstrued as an 
indication of a robust design. Further, this is an example common to subsystem 
engineering, that is that when one part of the organization changes the design to meet a 

89 McConnell, p. 40. 
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new or changed requirement, that other parts of the organization cannot assume there is 
no change needed to their portion of the design. It is important to note that although both 
Commissions have now completed their work the Space Shuttle is still flying with 
external tanks, SRBs and protection tiles. A reason for this is that the commissions were 
chartered to find out why the mishaps occurred and recommend corrective actions, rather 
than implement them. 

It is unlikely that the identification of the design compromises by the Rogers 
Commission would have prevented the Columbia accident due to the extreme extent of a 
redesign. In fact the Rogers Commission did identify the need for a crew escape 
capability (part of the original shuttle concept and then removed) as recommendation VII 
in their report, but investigations by NASA determined that it was not feasible to retrofit 
the shuttle with this capability. Nor is it expected that a redesign of the shuttle system 
would occur based on a CAIB identification of the sub-optimal design. However, it is 
appropriate for commissions to make such recommendations as a warning against 
extracting politically palatable agreements through technological compromises. When 
outside forces cause engineering design changes it is important to iterate the system 
engineering processes to ensure that the changes do not invalidate earlier engineering 
decisions. It is imperative to revisit engineering decisions to see if a change made for 
political reasons requires a more extensive reengineering effort. Unfortunately, complex 
engineering projects are often faced with the problem that Vaughan attributed to the 
Space Shuttle, “NASA received political endorsement of the Shuttle Program and its 
mission without the political commitment necessary to provide resources adequate to 
meet program goals.” 90 

Another area that each investigation paid only tangential attention to was the 
budgetary and political pressures that result in management action that contributed to 
increase risk in shuttle operations. In fact, in the case of the Rogers Commission, they 
specifically stated “...the Commission did not construe its mandate to ... to review 
budgetary matters.” 91 However, at least one of the Commission members, Richard. P. 
Feynman, who was a Nobel Laureate in physics, felt strongly enough about these matters 

90 Vaughan, p. 30. 

91 Presidential Commission on the Space Shuttle Challenger Accident, p. 1. 
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that a separate Appendix was included in the report to document his personal feelings. 
He points to a large disconnect between the level of risk of loss of the shuttle vehicle and 
human life between the engineers and shuttle management. He claims that management 
believes the probability of failure is a thousand times less than the engineers working the 
program. 92 He claims that this is either an incredible lack of communication between the 
working level and management or an attempt to assure those who fund NASA's programs 
that the program remains executable. In many ways, the observations of Feynman were 
later confirmed and expanded by Dr Vaughan’s research and findings of acceptance of 
risk and normalization of deviance. However, Feynman applies a stronger role to 
working within the pressures of the NASA budget and political environment than Dr. 
Vaughan. Feynman’s statement, “We have also found that certification criteria used in 
Flight Readiness Reviews often develop a gradually decreasing strictness,” 93 was later 
echoed in Post Challenger investigations, including Dr. Vaughan’s. Feynman maintains 
that the rigorous certification criteria were slowly altered with incremental logical 
decisions that, in the aggregate, result in increased, unacknowledged risk to the program. 
This is a common problem faced in execution of complex technological projects that rely 
upon continued justification of funding; there is often pressure to maintain the impression 
of invincibility as opposed to admitting to technological weaknesses and working to 
correct them. 


C. QUESTION THREE 

Especially in technical communities, one of the least understood, imprecise, 
cryptic, and hardest factors to address is an organization’s structurally-embedded culture, 
with its associated strengths and vulnerabilities. Thus, question three takes on this aspect 
of this analysis by posing the question, “What problems existed in the NASA culture 
during the times of both accidents?” 


92 Ibid., Volume II, Appendix F, p. F-4. 

93 Ibid., p. F-l. 
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1. Introduction 

In our view the NASA organizational culture had as much to do with this 
accident as the foam. 94 

The quote above from the Columbia Accident Investigation Board leaves little 
doubt as to the gravity with which the Board viewed the cultural reasons for the 
Columbia disaster. To begin this analysis, a working definition of culture is required. 
Culture can be defined as the shared beliefs, behavioral norms, and values of an 
organization, often driven by unspoken assumptions. This is often described by people 
within an organization as “the way we do things here.” 95 As noted in the CAIB report, 
the culture of an organization is a tremendously potent and enduring force that persists 
below the veneer of reorganizations and personnel changes. 96 Many outsiders and 
recently, more and more NASA insiders believe that the cultural problems at NASA 
persisted from the time of Challenger to Columbia , and that changes implemented in the 
post -Challenger NASA organization were simply surface level and impermanent, akin to 
rearranging the deck chairs on the Titanic. This assessment is shared by technologists, 
safety experts, social scientists, and people at all levels of the federal government. This 
sentiment was voiced in a homespun way by Senator Ernest “Fritz” Hollings (D-S.C.), 
who remarked during a Senate Commerce Committee hearing on the results of the 
CAIB’s report, “There’s no education in the second kick of a mule. I’m hearing the same 
things I listened to seventeen years ago.” 97 Words that hit closer to home are those of Dr. 
Sally Ride, America’s first woman astronaut and a member of both the Rogers 
Commission and the CAIB, who stated she heard “echoes” of the Challenger tragedy in 
the Columbia accident. 98 

94 Columbia Accident Investigation Board, p. 97. 

95 “Assessment and Plan for Organizational Change at NASA,” Behavioral Science Technology 
(BST), 15 March 2004, p.6. 

96 Columbia Accident Investigation Board, p. 101. 

97 B. Berger, "Lawmakers Press O’Keefe For Cost Figures," 3 September 2003, 
[http://www.space.com/news/nasa_hearing_030903.html]. Last accessed December 2003. Senator 
Hollings directed his remarks to NASA Administrator Sean O'Keefe, and ADM Harold Gehman (USN, 
ret), head of the Columbia Accident Investigation Board, during their testimony to the Senate Commerce, 
Science, and Transportation Committee. 

98 Testimony of Dr. D. Vaughan, Columbia Accident Investigation Board Public Hearing Transcript, 

23 April 2003, [ http://www.caib.us/events/public_hearings/20030423/transcript_pm.html], Last accessed 
June 2003. 
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In the intervening years between Challenger and Columbia , awareness of cultural 
aspects of organizational performance and behavior has become more understood and 
assessed within both private and public entities. Thus, the investigation and discussion of 
cultural problems at NASA prior to the Columbia incident are much more a part of the 
CAIB’s formal investigation and the associated public discussion than that pursued by the 
Rogers Commission. The CAIB’s direct and candid assessment of NASA’s cultural 
deficiencies is exemplified by the following: 

The organizational causes of this accident are rooted in the Space Shuttle 
Program’s history and culture....Cultural traits and organizational 
practices detrimental to safety were allowed to develop, 
including:... organizational barriers that prevented effective 
communication of critical safety information and stifled professional 
differences of opinion...and the evolution of an informal chain of 
command and decision-making processes that operated outside the 
organization’s rules." 

Furthermore, since Columbia , NASA itself has spoken publicly about “culture” 
and the need to fix what is generally perceived as broken within it. There has also been 
the required acknowledgement that culture is more difficult to fix, especially when the 
organization itself is a technocratic entity that isn’t even sure what “culture” means. The 
major cultural problems during the times of Challenger and Columbia can be distilled 
down to the following: 

• Requiring engineering personnel to prove a negative - prove to management that 
a system isn’t safe for flight rather than being required to provide it is safe for 
flight. 

• Risk acceptance and the normalization of deviance 

• Groupthink 

2. Proving a Negative 

Perhaps first and foremost, one of the most recognizable and glaring cultural 
problems at NASA that was present during both the Challenger and Columbia eras was 
that instead of being required to demonstrate that a system was safe for flight, NASA 
engineers and those of their contractors were required to rather prove it wasn’t safe to fly 
the shuttle. The Rogers Commission found this to be the case with engineering decisions 

" Columbia Accident Investigation Board, p. 177. 
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surrounding the decision to launch Challenger as did the CAIB with circumstances 
surrounding the foam strike on Columbia and its post-launch assessment and imagery 
request. 

In the case of the Challenger accident, Thiokol personnel believed that suddenly 
roles had switched and they had now been put on the spot by NASA to establish it was 
not safe to fly STS 51-L rather than safe to do so. Roger Boisjoly, Thiokol’s O-ring 
expert, stated during his testimony to the Rogers Commission regarding the 27 January 
1987 NASA - Thiokol phone conference that “this was a meeting where the 
determination was to launch, and it was up to us to prove beyond a shadow of a doubt 
that it was not safe to do so. This is in total reverse to what the position is in a preflight 
conversation.” 100 Further substantiation was voiced by Robert K. Lund, Thiokol’s vice 
president for engineering during the time of Challenger , who testified before the Rogers 
Commission that he and other Thiokol personnel changed their recommendation [from 
no-go to go for launch] because “we had to prove to them that we weren’t ready, and so 
we got ourselves in the thought process that we were trying to find some way to prove to 
them it wouldn’t work, and we were unable to do that. We couldn’t prove absolutely that 
that motor wouldn’t work.” 101 

Finally, the shift in NASA’s cultural norm from “prove to me it is safe” to “prove 
to me it is not safe” was recognized by astronaut Bob Crippen, the pilot of the first Space 
Shuttle Mission, when he stated during a Rogers Commission hearing: 

Since the earliest days of the manned space flight program that I’ve been 
associated with and Mr. Armstrong [Neil Armstrong, the vice-chairman of 
the Rogers Commission] has been associated with, our basic philosophy 
is: Prove to me we’re ready to fly. And somehow it seems in this 
particular instance we have switched around to: Prove to me [that] we are 
not able to fly. I think that was a serious mistake on NASA’s part.. , 102 

In exploring the cultural defects that contributed to the Columbia accident, the 
CAIB stated, “Both Challenger and Columbia engineering teams were held to the usual 
quantitative standard of proof. But it was a reverse of the usual circumstance instead of 

100 Presidential Commission on the Space Shuttle Challenger Accident, p. 93. 

101 Presidential Commission on the Space Shuttle Challenger Accident, Vol. 4, p. 811. 

102 Presidential Commission on the Space Shuttle Challenger Accident, Vol. 4, p. 632. 
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having to prove it was safe to fly, they were asked to prove that it was unsafe to fly.'’ 103 
The CAIB’s belief on this point was reinforced by its finding F6.3-22, which stated that 
NASA managers required engineers to prove that the foam-strike led to a safety-of-flight 
issue, rather than having to prove the system was safe. 104 If further proof of this 
persistent cultural flaw is required, one needs to look no further than NASA’s 
Administrator, Sean O’Keefe, who stated that NASA would once again change its dictum 
from “prove to me that it’s not safe” to “prove to me that it is safe.” 105 

3. Risk Acceptance and Normalization of Deviance 

One of the most explored areas of organizational culture with respect to the 
Challenger and Columbia incidents is that of the idea of risk acceptance and the 
normalization of deviance, as described by Diane Vaughan. This theory has been applied 
by Dr. Vaughan in great detail to the Challenger accident. At the time of this writing, her 
normalization of deviance theory has been used as an investigative tool by the CAIB and 
others in a preliminary manner. As discussed previously in Section III, Dr. Vaughan 
defines normalization of deviance as the inclination of organizations to accept risk as 
well as deviances from specifications and expected outcomes based on previous 
successes, regardless of the predicted probability of these results. 

In the case of the Challenger , after the first accepted O-ring erosion event during 
STS-2, the second shuttle flight in November 1981 106 , there was a gradual acceptance of 
more O-ring erosion events, which built upon the NASA engineering database, of 
anomalous, but acceptable risk due to O-ring blow-by. This acceptance and 
normalization of risk occurred at the highest levels of NASA management, such as during 
the Flight Readiness Reviews for STS-41C, when the notion that some O-ring erosion 
was deemed acceptable by Lawrence Mulloy, the SRB project manager at Marshall 
Space Flight Center because of the redundant SRB O-ring seals. 107 The magnitude of 
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this deviation normalization can be seen in the shuttle missions from 1984 up to the 
Challenger accident. During this time period, three of four flights in 1984 exhibit O-ring 
erosion, as did eight of nine flights in 1985, and the 12 January 1986 mission that 
preceded Challenger. At both Marshall and Thiokol, senior management deemed the O- 
ring erosion as allowable, acceptable risk. 108 Dr. Richard Feynman, the renowned 
physicist, Noble Laureate and Rogers Commission member, noted this risk normalization 
behavior in his appendix to the Commission’s report. Dr. Feynman remarked, “We 
[Commission members] have also found that certification criteria used in Flight 
Readiness Reviews often develop a gradually decreasing strictness.” 109 Feynman goes 
on to assert 

The phenomenon of accepting for flight, seals that had shown erosion and 
blow-by in previous flights, is very clear...The acceptance and success of 
these flights is taken as evidence of safety. But erosion and blow-by are 
not what the design expected. They are warnings that something is 
wrong.. .The fact that this danger did not lead to a catastrophe before is no 
guarantee that it will not happen next time...When playing Russian 
roulette the fact that the first shot got off safely is little comfort for the 
next. 770 


Feynman’s comparison of NASA’s behavior of deviance normalization to a game 
of Russian roulette provides a vivid image of just how far this behavior had gone. 

As stated in the discussion of the Rogers Commission investigation, right up to 
the night before the Challenger launch, both NASA and Thiokol engineers analyzed the 
obvious proof that that SRB O-ring design was not functioning as designed, but through 
risk acceptance and normalization of deviance, this negative event was transformed into 
an acceptable and non-deviant event. The acceptance of this launch risk was based in 
part on incorrect emphasis on meeting a launch window as the top-level objective, not 
executing a launch within the bounds of the known, safe launch environment. Thus, as 
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Dr. Vaughan stated in her presentation before the CAIB, the “eve of the launch 
teleconference was one more decision in a long line of decisions that gradually expanded 
the bounds of acceptable risk.” 111 

In the case of the Columbia incident, the same ominous pattern of accepting 
anomalous foam strikes, with no apparent high risk outcomes as “normal”, occurred on 
the part of NASA. The end result was just as tragic as Challenger’s. As stated 
previously in this analysis, the CAIB’s investigation revealed that NASA managers at the 
time of Columbia had come to accept the fuel tank foam loss and subsequent impact on 
the orbiter as acceptable. In effect, NASA management used past success, despite 
deviations from the system’s intended design and functionality, as validation of the 
likelihood of future mission success. 112 This mode of organizational thinking can be 
thought of as an unwise effort to adhere to a “success-oriented” program or schedule. 
This is epitomized by the CAIB report’s assessment that risk normalization was evident 
after the flight of STS-112, when two more shuttle flights were scheduled without 
hearing back from the team investigating the foam strike during that mission. The CAIB 
report states, “It seems that Shuttle managers had become conditioned over time to not 
regard foam loss or debris as a safety-of-flight concern.” 113 Furthermore, the CAIB 
report reveals that Linda Ham, the STS-107 Mission Management Team Chair, 
specifically treated the foam shedding problem as a maintenance one, not one of 
safety. 114 In an interview following the release of the CAIB’s report, Admiral Harold 
Gehman (USN, ret), the CAIB’s chairman, when discussing NASA cultural norm of 
deviation normalization and flawed risk acceptance, stated, “If you [NASA] got away 
with it ten times in the past then it must be right. They really believe that, or some of 
them believe it.” 115 
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Diane Vaughan, in her previously discussed testimony before the CAIB, 
recommended that NASA’s organizational system and culture become targets for 
change. 116 Dr Vaughan has further stated, “ Challenger , like Columbia was an 
institutional failure. That is, it wasn’t a matter of the decision-making structure. It had to 
do with the entire organization [NASA] and its culture, and the critical parts that really 
didn’t get changed.” 117 Thus, those echoes to which Dr. Ride alluded in her commentary 
on the Columbia seem to resonate loud and clear. 

4. Group think - When Too Much Cohesion is a Perilous Thing 

a. Introduction 

Another significant and stubborn problem is the continuation of 
groupthink from Challenger to Columbia. It should be noted however, that Groupthink 
and Diane Vaughan’s theory of risk normalization could be considered as competing 
cultural models, not concurrent ones. This is the position Dr. Vaughan has taken in her 
writings and statements. However, for the purposes of this analysis, the authors are 
treating groupthink and risk normalization as plausible concurrent and complementary 
culture problems at NASA. 

b. Groupthink Defined 

Groupthink is the term coined by the noted Yale research psychologist, 
Irving L. Janis, to describe the phenomenon by which a talented, intelligent, high- 
performing, and usually high-powered group makes horrible decisions. Janis defined 
groupthink as “a quick and easy way to refer to a mode of thinking that persons engage in 
when they are deeply involved in a cohesive in-group, when concurrence-seeking 
becomes so dominant that it tends to override critical thinking or realistic appraisal of 
alternative courses of action.” 118 Janis’s research, which formed the foundation for his 
groupthink theory, was based on an examination of “notorious,” as Janis himself put it, 
decisions made by governmental leaders over many years. These included such debacles 
as the Bay of Pigs, the attack on Pearl Harbor, the escalation of the Vietnam War, the 

116 Testimony of Dr. D. Vaughan, Columbia Accident Investigation Board Public Hearing Transcript. 
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miscalculation that lead China to enter the Korean Conflict, and the policy of 
appeasement used by Neville Chamberlain in his government’s fruitless attempt to 
placate Nazi Germany prior to World War II. Since Jams’s case studies involved all 
different sorts of high-performing, bureaucratic, risk-intensive organizations, the 
presence of groupthink is relatively easy to identify, and then by following Jams’ 
recommendations, an organization can blunt its negative effects. 

See Appendix C for the detailed description of groupthink, which support 
the analysis that follows. 

c. Groupthink and Challenger 

In the case of the Challenger disaster, a review of the data and discussion 
previously presented in this paper in Section III, Investigations, combined with 
information culled from various sources, clearly shows that groupthink was present as a 
cultural problem with NASA at that time. 

First, what antecedent conditions required for groupthink to take hold 
were present at the time of the Challenger tragedy? A review of personnel background 
as well as the events that transpired, just prior to the Challenger Flight Readiness 
Reviews, shows that the NASA personnel like Lawrence Mulloy, Bob Marshall, and 
William Lucas, who were key players in the genesis of the Shuttle program and were 
involved in the Challenger incident, were very familiar with each other, had come up 
through the ranks of the space program, and had worked together on the Shuttle program 
for many, many years 119 . This in turn created an exceptionally high degree of esprit de 
corps; a cohesive group existed. 

A second precursor for groupthink that was clearly present within the 
NASA hierarchy during the time of Challenger was the clear existence of a leadership 
preference for a launch despite the O-ring erosion and low ambient temperature concerns. 
As described previously in this paper, NASA personnel at Marshall Space Flight Center 
as well as the Kennedy Space Center severely and at times acerbically pushed back 
against Thiokol’s recommendation that the Challenger launch not be conducted at 
temperatures below fifty-three degrees F. This leadership preference for the launch 
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decision can also be seen in the normalization of deviance, discussed in detail by 
Vaughan, as well as NASA requiring Thiokol to prove the negative - it wasn’t safe to 
launch Challenger. Finally, several key statements and behaviors of senior NASA 
personnel during the now infamous phone conference of 27 January 1986, as documented 
in notes and testimony to the Rogers Commission, reveal this very strong leadership 
preference: 

• George B. Hardy, Marshall’s Deputy Director for Science and Engineering, stated 
that he was “appalled” 120 by Thiokol’s reasoning for not recommending launch 
below fifty-three degrees F, which had been the lowest previous launch 
temperature during STS 51-C in January 1985. 121 

• Lawrence Mulloy, the SRB Project Manager at Marshall, challenged Thiokol’s 
recommendation on the basis that there was no Launch Commit Criteria for SRB 
joint temperature. He further went on to assert that the eve of the launch was a 
bad time to invent a new LCC, and capped off this pro-launch opinion by stating, 
“My God, Thiokol, when do you want me to launch, next April [in reference to 
the fifty-three degree F temperature launch criteria recommended by 
Thiokol]?” 122 

• Hardy and Mulloy, as the senior engineer and SRB project manager, respectively, 
combined to condemn Thiokol’s evidence and rationale, forcing Thiokol to go 
“off-line” and reconsider their objections to the cold-weather launch of STS 51-L. 

One final, readily apparent antecedent for groupthink to take root is the 
phenomenon of the group being insulated from experts. In the case of the Challenger 
accident, Thiokol engineering staff provided testimony to the Rogers Commission which 
clearly shows management personnel insulating themselves from the deck-plate 
engineering community, which had considerable concern over the O-ring erosion issue in 
conjunction with the coldest attempted Shuttle launch. Roger Boisjoly, Thiokol’s O-ring 
expert, testified before the Rogers Commission that: 
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...and the bottom line was that the engineering people would not 
recommend a launch below fifty-three degrees F...From this point on, 
management formulated the points to base their decision on. There was 
never one comment in favor, as I have said, of launching by any engineer 
[Thiokol] or other no-management person....I was not even asked to 
participate in giving any input to the final decision charts 725 

Thus, it can be clearly shown that the three required preconditions for 
groupthink to develop were present in NASA at the time of Challenger. 

An assessment of the symptoms of groupthink present at this time shows 
that many are easily uncovered. One needs to remember, however, that not all eight 
symptoms of groupthink need be found within an in-group to yield the poor decision¬ 
making that is an unfortunate outcome of groupthink. An illusion of invulnerability is 
clearly evident. First, although astronauts Grissom, White, and Chafee perished in the 
Apollo I launch pad fire, NASA had never suffered an in-flight fatality. Since Apollo I, 
NASA had fifty-five straight successful missions 124 in which they had sent men to the 
moon, docked with Soviet Soyuz craft, built and deploy Spacelab, and fielded the Space 
Shuttle as a regular delivery “space truck.” The American public and NASA themselves 
seemingly came to believe they there were infallible. This implicit air of invincibility can 
be seen in the comment of George Hardy, who stated that the O-ring erosion risk was 
“true of every other flight we had.” 125 According to Janis, this sort of statement by a 
member of the in-group displays a mind-set of “everything is going to work out all right 
because we are a special group.” 126 Finally, Nobel Laureate, Richard Feynman, a 
member of the Rogers Commission, believed that the Commission’s investigations and 
interviews revealed that NASA’s exceptional track record of successful space flights 
created overconfidence. 127 This leads to more and more risk assumption and deviation 
normalization, as described by Vaughan. 
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NASA exhibited the second Type I symptom of groupthink, which is the 
group’s unquestioned belief in its inherent morality. NASA management displayed this 
indicator of groupthink though their shift of the “old” NASA morality of having to prove 
a system was safe to fly, to having to prove the opposite. In the case of Brian Russell, 
Thiokol’s Director of Systems Engineering at the time of STS 51-L, there was direct 
feeling that moral rules had been shifted by NASA. During testimony before the Rogers 
Commission, Mr. Russell, who was present at the 27 January NASA - Thiokol phone 
conference, stated, “I had the feeling that we were - that it was a distinct feeling that we 
were in the position of having to prove that it was unsafe instead of the other way around, 
which was a totally new experience.” 128 Mr. Russell’s stance on this fundamental shift is 
reinforced by that of Mr. Allen McDonald, Thiokol’s SRM Project Manager at the time 
of Challenger , who testified before the Rogers Commission as follows: 

Well, I have been in many flight readiness reviews, probably as many as 
anyone, in the past year and a half get up and stand before, I think, a very 
critical audience at Marshall, and a very good one, justifying why our 
hardware was ready to fly. I have to get up and explain every major defect 
and why we can fly with that defect.... And I have been hassled about 
how I'm sure that that is okay to fly with.... And it has been that way 
through all of the reviews I've ever had, and that is the way it should be. 

And it is not pleasant, but that is the way it should be. And I was 
surprised here at this particular meeting that the tone of the meeting was 
just the opposite of that. I didn't have to prove that I was ready to fly.. , 129 

This testimony before the Rogers Commission, as well as that of Boisjoly 
and Lund previously discussed in the section regarding the cultural defect of “proving a 
negative” shows that affliction of groupthink yields other corresponding cultural 
dysfunctions besides normalization of deviance already tied by the authors of this paper 
to groupthink. The seemingly abrupt change in flight commitment criteria is due to the 
pressure to meet the launch schedule and near-term launch window, which was in turn 
driven by NASA’s need to meet unrealistic flight rates. 

The first Type II symptom of groupthink discussed above was a group’s 
propensity to stereotype outsiders with competing or contrary opinions. The record 
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reveals little evidence of direct NASA denigration of outsiders in the Challenger case. 
However, the general caustic and adversarial tone of NASA interaction with Thiokol 
personnel is evident during the phone conference of 27 January 1986. This stereotyping 
is most clearly revealed in the previously quoted words of Lawrence Mulloy, which are 
worth repeating, “My God, Thiokol, when do you want me to launch, next April?” 130 
There was a clear, confrontational tone to NASA retort to Thiokol’s initial 
recommendation to not launch in temperatures below fifty-three degrees F, and even this 
threshold temperature is suspect due to the small sample set of data in existence at that 
time. 

The fourth symptom of groupthink described by Janis is that of collective 
rationalization. This rationalization leads the group to dismiss warnings which would 
otherwise drive them to review data or to reconsider their assumptions before resuming 
their chosen course of action. In the case of the Challenger catastrophe, the Level 1 
Flight Readiness Review displayed NASA’s rationalization of the O-ring erosion risk. 

As shown previously in this paper, NASA officials discounted the Thiokol 
engineers’ concerns to a great extent, based on their rationalization that the engineering 
data on which Thiokol was basing their “no launch” recommendation was inconclusive. 
Furthermore, NASA officials collectively believed that the secondary O-ring would seal 
in worst-case conditions, which is a clear rationalization that attempts to overcome the 
fact that SRB joint seal is a failure mechanism without backup. 

As stated in his testimony before the Rogers Commission, George Hardy 
reasoned, incorrectly in hindsight, that the secondary O-ring would be properly seated at 
the time of primary O-ring blow-by during launch. 131 This can be construed as a 
rationalization due to the fact that Space Shuttle system would sit on the launch pad for 
up to twenty-eight days, with various stress transients (e.g., transportation vibration, 
thermal effects, wind loading of the booster shell, pressure changes, etc.) acting on the O- 
ring seals, with no subsequent pressure check prior to launch. 132 Finally, Mr. Hardy 

testified that during the NASA - Thiokol phone conference, “No one in the meeting 
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questioned the fact that secondary seal was capable and in the position to seal during the 
early part of the ignition transient prior to any significant joint rotation.” 133 In this way 
the past performance of the secondary O-ring seal during primary erosion incidents 
perpetuated the illusion that the system was working properly and safely. Thus the group 
had collectively brought themselves to believe that the SRB joint O-rings would hold, 
despite a body of data that seriously raised doubts about this conclusion. That a group of 
senior, experienced NASA engineers and managers would come to this conclusion in 
light of the fact that the primary O-ring was consistently being compromised during 
launch, is unmistakable proof of collective rationalization denoting the presence of 
groupthink. 


One of the symptoms attributed to groupthink that was most clearly 
evident during the Challenger disaster was that of self-censorship of deviations, the first 
of the Type III indicators described by Janis. An examination of Thiokol and NASA and 
personnel behavior during this time is rife with examples of self-censorship. A review of 
the Rogers Commission testimony and the history of the Marshall Space Flight Center 
reveal several telling statements. During the off-line Thiokol-only caucus, held after the 
initial phone conference, where Thiokol recommended not launching below fifty-three 
degrees F, Thiokol engineers ended up censoring themselves. This self-censorship arose 
when faced with Thiokol management’s opposition to their standpoint. Roger Boisjoly, 
Thiokol’s O-ring expert and member of their Seal Task Force, stated in testimony before 
the Rogers Commission that: 

Okay, the caucus started by Mr. Mason stating a management decision 
was necessary. Those of us [Boisjoly and Arnold Thompson] who 
opposed the launch continued to speak out...we were attempting to go 
back and re-review... and we couldn’t understand why it [the 
recommendation to not launch below fifty-three degrees F] was going to 
be reversed....So we spoke out and tried to explain once again the effects 
of low temperature. Amie actually got up.. .walked up to the table and put 
a quarter-pad down...and tried to sketch out once again what his concern 
was with the joint, and when he realized he wasn’t getting through, he just 
stopped [emphasis added]. 734 
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Mr. Boisjoly went on to relate his own self-censorship after trying in vain 
to persuade Thiokol management to uphold the “no launch” recommendation: 

I tried one more time with the photos. I grabbed the photos, and I went up 
and discussed the photos once again and tried to make the point that it was 
my opinion from actual observations that temperature was indeed a 
discriminator and we should not ignore the physical evidence we had 
observed....I also stopped when it was apparent that I couldn’t get 
anybody to listen. 135 

Thus, when Stanley Reinartz, manager of the Shuttle Projects Office at 
MSFC, asked if anyone participating in the reconvened phone conference disagreed with 
the reversed Thiokol decision to launch, there was no dissent. 136 

The occurrence of self-censorship was not confined to Morton-Thiokol 
personnel; NASA staff also presented this symptom of groupthink. NASA engineers 
Ben Powers and Keith Coates both raised concerns with a cold-weather launch of STS 
51-L. Mr. Coats, one of the former SRM chief engineers voiced his unease with the cold. 
He stated that he didn’t “lay down on the tracks,” because he did not have the authority or 
responsibility to act. 137 Mr. Powers, in his role as an SRB engineer told his chain of 
command that “I support the contractor one hundred percent on this thing. I don’t think 
we should launch. It’s too cold.” 138 However, when one of Mr. Powers superior implied 
that Powers could have spoken up for himself, Power replied that “you don’t override 
your chain of command.” 139 History shows none of these concerns from NASA own 
engineers made into the NASA - Thiokol discussions that resulted in the decision to 
launch Challenger. Thus, both NASA and Thiokol members of the Shuttle team clearly 
exhibited self-censorship. 

The second Type III indicator of groupthink, the pressure of the group on 
any dissenters to conform, was also clearly present within the NASA - Thiokol group 
responsible for the Challenger launch decision. The cajoling, bordering on outright 
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intimidation, of Thiokol personnel by NASA management was previously brought up in 
this paper during the discussion of precursor conditions to the entrenchment of 
groupthink. In that discussion of leadership preference for a “go” launch decision, one 
only needs to return to the statement by NASA’s George Hardy that he was appalled by 
Thiokol’s reasoning for initially not recommending launch, or to the words of NASA’s 
Lawrence Mulloy, who castigated Thiokol over their “no-go” recommendation, asking 
Thiokol if they wanted NASA to wait until April to launch STS 51-L, and finally to the 
combined pressure of Hardy and Mulloy during the infamous teleconference, that pushed 
Thiokol to caucus offline. The result of which, has been discussed many times above - 
was the reversal of Thiokol’s “no go” launch recommendation. 

There are other examples of the internal group pressure to conform, such 
as during the Thiokol off-line caucus. During that discussion, which has already been 
described during the exploration of other evidence of groupthink, Jerald E. Mason, vice 
president of Thiokol’s Wasatch organization, pressured Robert Lund, the vice president 
of engineering to “take off your engineering hat and put on your management hat.” 140 
Mr. Lund surrendered his support for his engineers, and when the NASA - Thiokol 
teleconference resumed, Joe Kilminster, the Thiokol-Wasatch vice president for Space 
Booster Programs informed NASA that Thiokol has reversed direction and were now 
recommending launch. 141 The idea that the internal management discussion at Thiokol 
during this caucus was a form of pressure on dissenters was recognized and voiced by 
Chairman Rogers himself, when during Mr. Mason’s testimony before the Commission, 
he asked, “Mr. Mason, when you spoke to Mr. Lund and told him in effect to take off his 
engineering hat and put on his management hat, wasn’t that pressure on your part to a 
subordinate that he should change his mind.” 142 Thus, pressure by the group on 
dissenters within was clearly evident at this time. 

The evidence for a shared illusion on unanimity, which is another of the 
Type III indicators of groupthink, is very simple, clear, and straightforward in the case of 
the NASA - Thiokol interactions. As presented above, Thompson’s and Boisjoly’s 
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testimony before the Rogers Commission revealed that they were deeply opposed to 
reversing the “no go” launch recommendation from Thiokol. However, as stated 
previously, they were not consulted during the final management decision making 
process. Consequently, when Thiokol reconvened with NASA, the NASA personnel on 
the other end of the line were presented with a Thiokol position reversal that appeared 
unanimous. Furthermore, as the recommendation to launch proceeded up NASA’s chain 
of command to the Level II and Level I Flight Readiness Reviews, any information or 
notification regarding neither Thiokol’s concerns over temperature effects on joint 
integrity, nor the extensive teleconferences that dealt with the issue, were transmitted up 
the line. 143 This gave the ultimate NASA decision-makers the false impression that 
unanimity on the launch decision existed. 

The final groupthink symptom described by Janis is that of self-appointed 
mindguards. While this particular indicator is the least evident within the Challenger 
investigation, it does appear. First, as quoted previously in the discussion above, Roger 
Boisjoly, who was acknowledge by all as an O-ring expert, was not even asked by his 
management to participate in the final Thiokol decision-making process during their 
offline caucus. Thiokol Management isolated the troublesome objections of Mr. Boisjoly 
as well as those of Mr. Thompson during that final internal meeting. A look into the 
NASA hierarchy also shows that the NASA managers at the Level III FRR, whether 
intentionally or not, acted to shield those higher up in the decision-making process from 
Thiokol’s initial objections to the launch of STS 51-L. In fact, when polled by Chairman 
Rogers during their testimony senior leadership at all NASA Centers were not aware of 
Thiokol’s launch objections. This included Jesse Moore, Associate NASA Administrator 
for Flight and Director of the Johnson Space Center (JSC); Arnold Aldrich, NASA’s 
manager of Space Transportation Systems Programs at JSC; Dr. William Lucas, the 
Director of MSFC; and finally Mr. Richard Smith, Director of the Kennedy Space 
Center. 144 

A review of the evidence and symptomatic expression of groupthink 
provided above clearly indicates that groupthink had taken firm hold of those involved in 
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the Challenger launch decision, regardless of their organization or their location. As a 
result of groupthink, defective decision-making ran its course, with the destruction of 
Challenger , the loss of seven lives, and a serious loss of the nation’s confidence in 
NASA. Finally, in the case of Challenger , Diane Vaughan’s assertion the normalization 
of risk played a major part in the accident can be shown to be a complementary 
mechanism to groupthink. The compounded effects of these two theories left little 
chance of a successful outcome for STS 51-L. In fact, the words of Lawrence Mulloy 
reinforce this suggestion when he stated, 

We at NASA got into a groupthink about this problem [O-ring erosion]. 

We saw it, we recognized it, we tested it, and we concluded it was an 
acceptable risk... .When we started down that road, we were on the road to 
an accident. 745 

Finally, the grim words of Ben Powers, a MSFC propulsion engineer hit 
home. Mr. Powers, based at MSFC, told another engineer the morning of the Challenger 
launch that “these guys don’t have more than a fifty-fifty chance.” 146 

d. Groupthink and Columbia 

One would believe, after examining the clear and widespread indications 
of groupthink present within NASA at the time of the Challenger disaster, that there 
could be no way such a scenario could occur again. Unfortunately, an examination of 
information provided previously in this paper, combined with the results of the Columbia 
Accident Investigation Board and third-party sources reveal just that - groupthink once 
again became a major factor in the loss of a Space Shuttle and seven astronauts. Clearly, 
due to the more recent date of the Columbia accident, the body of study and discourse on 
Columbia incident is not of same depth or breadth as that concerning Challenger. 
Nonetheless, there is sufficient information for discussion and to draw conclusions on the 
presence and role of groupthink in the Columbia tragedy. 

As with the discussion of the Challenger , a review of what, if any, 
antecedent conditions to groupthink were present with NASA at the time of Columbia. 
First, is there evidence of a highly cohesive “in-group?” Linda Ham, the STS-107 
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Mission Management Team Chair, stated in a press conference, “Obviously no one wants 
to hurt the crew. These people are our friends. They’re our neighbors. We run with 
them, work out in the gym with them. My husband is an astronaut. I don’t believe 
anyone is at fault for this.” 147 Linda Ham’s words support the assertion that a cohesive 
group culture existed. 

The second precursor to groupthink taking hold is the exhibition of a clear 
preference by the group’s leadership. In the case of Linda Ham, a review of her words 
and actions show that she plainly preferred a finding that the foam impact on the leading 
edge of the wing would not result in serious damage to Columbia , and certainly not to the 
loss of the shuttle and its crew. At the Program Requirements Control Board (PRCB) 
meeting after STS-112, Ms. Ham, as a member of the PRCB, supported by Ron 
Dittemore, decided against classifying the loss of bipod foam as an In-Flight anomaly. 148 
The CAIB was clearly perplexed by this, and speculated the reasons for NASA treating 
the STS-112 foam loss differently than previous occurrences. The answer appears to be a 
strong leadership preference for a decision that would allow NASA to meet the ISS Node 
2 launch schedule, which was a significant, if not the preeminent, NASA management 
goal. Furthermore, Ms. Ham herself called the rationale for the foam strike during STS- 
112 being classified “not a safety-of-flight” as “lousy.” In fact in her email of 21 January 
2003 to Ron Dittemore she stated, “...rationale for flight for the STS-112 loss of foam 
was lousy...Rationale was lousy then and still is.” 149 How could this acknowledgement 
of deficient rationale not trigger more urgency in gathering imagery of Columbia's left 
wing? The evidence clearly points towards a leadership preference in outcome. Also 
supporting this obvious preference is the fact that when told that foam strike damage was 
a maintenance issue only, NASA management locked onto to this interpretation and 
sought no other opinions. 150 The CAIB report went as far as to state, “Tapes of STS-107 
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Mission Management Team sessions reveal a noticeable ‘rush’ by the meeting’s leaders 
to the preconceived bottom line that was ‘no safety-of-flight’ issue.” 151 

The last piece of evidence offered for the existence of a clear group 
preference for a specific outcome comes from the discussion in Section D.3 of this work. 
As stated in that section, the shuttle management team clearly had a preference for a 
launch schedule unimpeded by investigations into foam shedding. They ordered an 
investigation into the rationale used for flight authorization after STS-87 and STS-112. 
The inference is clear; Linda Ham, Ron Dittemore, and others were exhibiting a clear 
preference for the foam-shedding problem to be deemed inconsequential to flight 
operations. This is a clear indication of a groupthink precursor, and the rationale and 
methodology used by NASA management to arrive at their conclusions are clearly 
indicative of the normalization of risk as well. 

The final precursor to groupthink, as given by Janis, is the isolation of the 
group from competent outside opinion. There is evidence that this precursor existed as 
well. Rodney Rocha, the chief engineer for the Thermal Protection System (TPS), was 
adamant that not requesting outside help for imaging of Columbia was incorrect. Mr. 
Rocha, wrote an email, printed it, and shared the paper copy with colleagues; ultimately 
he did not send the message. In his draft email, Mr. Rocha stated, “In my humble 
technical opinion, this is the wrong (and bordering on irresponsible) answer from the SSP 
[Space Shuttle Program] and Orbiter not to request additional imaging help from any 
outside source.” 152 The discussion presented previously with this paper serves to 
reinforce this isolative approach to the situation by NASA. The CAIB probably summed 
it up best when offering, “Perhaps most striking is the fact that management...displayed 
no interest in understanding a problem and its implications. Because managers failed to 
avail themselves of a wide range of expertise and opinion necessary to achieve the best 
answer to the debris strike question...” 153 

This isolationist approach by NASA is further reinforced by none other 

than Dr. Diane Vaughan, whose work is a foundational component of this paper, and who 
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has been discussed extensively, above. In her testimony before the CAIB, Dr. Vaughan, 
when asked by the Board if she had ever been invited to talk to NASA about her work in 
risk acceptance and deviation normalization, stated 

No...I heard from many organizations that were concerned with reducing 
risk and reducing error and mistake. The U.S. Forest Service called, and I 
spoke to hotshots and smoke-jumpers. I went to a conference the 
physicians held, looking at errors in hospitals. I was called by people 
working in nuclear regulatory operations...Everyone called. My high 
school boyfriend called. But NASA never called. 75 ^ 

Thus, as with the case of the Challenger accident seventeen years before, 
all three antecedents to the establishment of groupthink within a body were present. The 
symptoms of groupthink will be addressed in the same order as considered in the 
previous discussion of groupthink and Challenger. 

As with Challenger , one needs to ask if there was an illusion of 
invulnerability apparent within the NASA hierarchy at the time of the Columbia accident. 
A review of discussions and testimony from the CAIB proceedings strongly indicated the 
existence of an illusion of invulnerability. During media interviews in the weeks leading 
up to the release of the CAIB’s report, an unnamed person associated with the CAIB 
(assumed to be a CAIB member, based on Admiral Gehman’s echoing of this person’s 
words during a subsequent press conference) was quoted as saying, “It’s just a mindset 
they [NASA] go into, that this was an operational vehicle, on an operational mission, and 
you don’t have to worry about it.” 155 These comments not only indicate a sense of 
invulnerability inherent in the NASA perception of a shuttle mission as a routine, almost 
pedestrian event; they echo the discussion previously regarding the historical context of 
the Challenger accident in that NASA treated the shuttle fleet as “Space Trucks.” As 
stated earlier in section III of this study, NASA initially touted the Space Shuttle as self- 


154 Testimony of Dr. D. Vaughan, Columbia Accident Investigation Board Public Hearing Transcript, 
23 April 2003, [http://www.caib.us/events/public_hearings/20030423/transcript_pm.html]. Last accessed 
June 2003. 

155 M.L. Wald and J. Schwartz, “NASA Management Failings are Linked to Shuttle Demise,” 
[http://www.nytimes.com/2003/07/12/national/12SHUT], Last accessed November 2004. 


75 



supporting and cost-effective, with turnaround times as brief as two weeks, and 
operations so “normal” as to invite commercial airline companies to offer proposals on 
the shuttle operations contract. 156 

This sense of invulnerability also directly feeds and complements 
Vaughan’s normalization of risk construct as an underlying cultural contributing cause of 
both shuttle losses. The impression of invulnerability is also revealed in the fact that 
despite requirements to do so, the Mission Management Team skipped daily meetings 
during the Martin Luther King Jr. holiday weekend. This lackadaisical approach to the 
Columbia mission, even after the discussion started on the foam-strike issue, is telling. 
This contrasts with the fact that Boeing and United Space Alliance engineers worked 
throughout the long weekend on the debris impact assessment, despite no direction from 
NASA to do so. 157 

The second groupthink symptom addressed for Columbia was the 
existence of a group’s unquestioned belief in their inherent morality. There is a single 
and glaring missive from William Readdy, astronaut and former associate NASA 
administrator for the Office of Space Flight. Mr. Readdy was the leader of the Return To 
Flight (RTF) team up through the launch of STS Discovery, STS-114. On 12 July 2003, 
within a month of the CAIB’s report, Mr. Readdy authored a letter to the RTF team in 
which he combines the expected content of a status of efforts completed by the RTF team 
and NASA; an appeal for inward reflection by NASA’s personnel; a call to maintain a 
commitment to the space program, the nation, the memory of Columbia and her crew, 
and NASA; and an attempt to build NASA’s morale and to buttress its personnel in the 
face of the daunting challenges associated with the shuttle’s return to flight. However, a 
significant amount of the letter is full of outright indignation, thinly veiled contempt, and 
rhetoric directed towards those outside of NASA. 

A complete reading of this letter shows unmistakably that with his 
denigration of outsiders and the overall tone and the writing’s stylistic approach that Bill 
Readdy is clearly showing NASA’s belief in their inherent morality. Mr. Readdy draws 
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on the words of Theodore Roosevelt, Helen Keller, and John F. Kennedy in an attempt to 
align himself and by association, NASA, with these icons of history, which the nation 
holds in great esteem and of high moral standing. 158 In his letter to NASA’s RTF team, 
Mr. Readdy stated 

Long forgotten will be the many, many scores of safely and successfully 
accomplished missions. There will be days - weeks - when Congress and 
the media will mount their bully pulpits and rail righteously at how 
careless, callous, and indifferent all of us [NASA] must have been to allow 
Columbia and her valiant crew to be lost so needlessly. And whatever we 
could say in our own defense, no matter how true, will fall on mostly deaf 
ears. We cannot let fear of criticism stop us from doing what we need to 
do or allow the critics to cow us into inaction. 759 

The above quote clearly reveals the moral high-ground Mr. Readdy truly 
believes his organization commands. To further reinforce the belief that Mr. Readdy’s 
words are further indication of groupthink, consider the following from the same letter 

Our individual and collective patience has been sorely tested. It will be 
again and again. Our expertise, professionalism, commitment, and resolve 
will be questioned...We will be called upon to explain things again and 
again to people who never seem to understand or appreciate, much less 
applaud our successes - but yet are capable of becoming instant experts 
when it comes to our failures and assigning blame. 760 

In addition to providing evidence of NASA’s belief in their inherent 
morality, the above quotations serve to directly support of the next groupthink symptom, 
the negative stereotyping of those outside the group. 

In Mr. Readdy’s letter to the RTF team, his use of terms such as “instant 
experts,” and “bully pulpits,” combined with the overall sarcastic and reproachful tone of 
the letter when talking about “outsiders,” plainly show the sort of stereotyping indicative 
of groupthink within an organization. As a final point, with respect to Mr. Readdy’s 
letter to his people, James Oberg, who spent twenty-two years working at NASA’s 
Mission Control at the JSC, had the following indictment of NASA’s behavior in this 
context 
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By demonizing all non-NASA critics, and by suggesting that questioning 
the judgment of NASA’s leadership is an insult to every space worker, the 
memo fully exposes the arrogant groupthink [emphasis added] that 
festers in NASA’s soul. i67 

A final example of stereotyping and opposition to outsiders was related by 
Dr. Diane Vaughan. According to Dr. Vaughan, the first time she was contacted by 
NASA officials was in April 2003. Dr. Vaughan imagined the caller was interested in her 
views on any possible similarities between the Challenger and Columbia accidents. But 
this was not the case. Dr. Vaughan ended up getting a “two-hour soliloquy” from 
Michael Greenfield, the then and current Associate Deputy Administrator for Technical 
Programs at NASA. 162 During this conversation, the tone and content of which was later 
confirmed by Mr. Greenfield, he told Dr. Vaughan that her assessment of NASA was 
wrong, and that there were no parallels between the Challenger and Columbia tragedies. 
He also told Dr. Vaughan that NASA had corrected their organizational problems after 
Challenger. 163 Thus the stereotyping of outsiders as wrong, stupid, uninformed, etcetera 
is clearly found at NASA. 

As stated previously, within the construct of groupthink, collective 
rationalization enables a group to reject warning signs that would push them to reconsider 
their given course of action. As with the Challenger accident, this groupthink indicator 
existed within NASA at the time of Columbia. In one instance of rationalization, NASA 
documentation released in the weeks preceding the issue of the CAIB report revealed that 
STS Atlantis was also subject to a penetration of a wing leading edge with plasma during 
the shuttle’s re-entry at the end of mission STS-101. 164 Obviously history shows that 
NASA did not stop the shuttle program temporarily to correct this design defect; the 
shuttle fleet continued to fly in an effort to meet ISS schedule pressures. In discussing 
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NASA’s public acknowledgement of a pattern of foam loss and even wing breeches, 
Mary Ellen Weber, a crewmember of STS-101, stated 

Absolutely, people knew if you have a breech in the wing, bad things can 
happen. That isn’t news. Knowing what I know now about gas entering 
the shuttle’s wing, do I believe the mission I was on was any more risky 
than I thought it was when I took off? No...We may fix this particular 
problem, but I guarantee the next time astronauts get on that shuttle there 
will be a thousand other things that can happen . 165 

While Professor Weber’s statements could be taken as a simple 
recognition of the hazards of space flight, there is a clear rationalization of the risks 
present in her words. To say that she believes in light of the Columbia’s loss that her 
flight on Atlantis, which suffered a similar wing failure was no more risky, displays 
bravado bordering on foolhardiness. Weber’s stance is contrasted with that of Paul 
Czysz, a professor of aerospace engineering and NASA consultant, who met the 
disclosure of the previous wing damage during STS-101 with puzzlement as to why 
NASA was not proactive in assessing the problem. Professor Czysz told reporters, “That 
[the Atlantis Thermal Protection System failure] says they had fair warning and ignored 
it. They should have said if that [the Columbia foam impact] opened up a crack any 
bigger than the one on Atlantis, we’re in deep trouble.” 166 The record shows that NASA 
did not address the wing breech issue in any substantive way prior to STS-107. This 
collection rationalization of the risks associated with debris-strike can also be seen as the 
normalization of deviation theory. As discussed in the contextual sections of this paper, 
Dr. Vaughan’s theory makes for a compelling complement to groupthink as contributing 
factors to both the Challenger and Columbia losses. 

Finally, James Oberg, whose previously referenced editorial was a 
scathing indictment of NASA’s management culture, also believe that NASA suffered 
from this sort of collective rationalization. In his discussion of the post -Columbia loss 
foam impact testing, which clearly reveal the extensive damage a foam strike could do to 
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the orbiter’s wing, Mr. Oberg declared “Yes even after launch, NASA officials continued 
to make convenient and false assumptions about how bad the damage could be.” 167 

As with the Challenger analysis, one of the symptoms of groupthink most 
clearly evident during the Columbia event was that of self-censorship on part of group 
members. The official testimony and other sources are rife with examples of self¬ 
censorship on the part of NASA. The CAIB report is full of examples of self-censorship. 
As described in this paper’s discussion of the antecedents to the establishment of 
groupthink with regard to Columbia , Rodney Rocha, the TPS chief engineer drafted an 
email where he called the decision to not request outside imaging help “wrong” and 
“bordering on irresponsible.” Yet ultimately Rocha did not send the email; self¬ 
censorship took hold. Mr. Rocha was an interviewee during an American Broadcasting 
Company (ABC) special report where he admitted to not being vocal about his foam- 
strike concerns during the meeting where Linda Ham put the matter to rest. Rocha told 
his interviewer that he was afraid he would lose his job, and that he “just couldn’t do it 
[speak up].” 168 The CAIB report reinforces Mr. Rocha’s statements. The Board’s 
investigators were told by Debris Assessment Team members that they believed they 
would be singled out for scorn by their colleagues and management if they had been 
more strident about their unease over the severity of the foam-strike on Columbia. 169 

Further evidence of self-censorship can be found in reviewing the actions 
and inaction of Wayne Hale, who was the Shuttle Program Manager for Launch 
Integration at KSC. Mr. Hale was the first person approached by personnel interested in 
obtaining imagery for a debris-strike evaluation on Columbia. 110 Mr. Hale pursued the 
request through various channels, until Linda Ham stopped the request process as head of 
the MMT. 171 Mr. Hale, who took over as Deputy Manager of the Space Shuttle Program 
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in the aftermath of Columbia, felt that he should have pushed harder for the imagery 
request to be executed, and that his decision to not push would “haunt him for the rest of 
his days.” 172 

Janis has shown that another Type III indicator of groupthink is the 
pressure of the group itself on any dissenters to conform to the collective. Once again, as 
was the case in the lead-up to the Challenger disaster, this groupthink symptom was 
present within NASA. As discussed in Section III of this paper, the CAIB delved into the 
organizational causes and the impact of a flawed safety culture on Columbia ’’s loss. The 
CAIB report states, “Program managers created huge barriers against dissenting 
opinions...” 173 In their discussion of the cultural and organization dysfunctions that 
contributed to the Columbia accident, the CAIB provided further rationale supporting 
pressure on dissent. When speaking of the ad hoc chain of command that influenced the 
end result of STS-107, they criticized the behavior of an unnamed NASA expert 

...a Thermal Protection System tile expert, who was a member of the 
Debris Assessment Team but had an office in the more prestigious Shuttle 
Program, used his personal network to shape the Mission Management 
Team view and snuff out dissent [emphasis added]. 174 

The CAIB believed that NASA management techniques and NASA’s organizational 
structure also served to squelch dissent. NASA management is directly charged by the 
CAIB with not seeking out dissenting opinions to help explore all options. 175 

Thus, pressure on dissenters within the Mission Management Team and 
others support it is shown to be evident within NASA during the time of the Columbia 
mishap. 

The groupthink symptom of the false impression of group unanimity is 
closely aligned with that of self-censorship. The lack of vocalization of concerns about 
the magnitude of the foam strike on Columbia’s left wing, as well as the lack of forceful 
dialog about the need for outside imaging help, as described above only served to support 
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the notion that all were in agreement regarding the risks to reentry as well as the lack of 
real need for further imaging support for the Debris Assessment Team analysis. That this 
perception of conformity was truly illusory is shown in the email of Robert Daugherty, a 
landing gear specialist at Langley Research Center. In his email of 28 January 2003, 
Daugherty asks his counterpart at JSC, “Any more activity today on the tile damage, or 
are people just relegated to crossing their fingers and hoping for the best?” 176 These 
words show just how false the unanimity was. 

The final groupthink symptom to be addressed here for the case of 
Columbia is the existence of self-appointed mindguards within organization who strive to 
insulate the group from anything perceived as negative or detrimental to its function. The 
most common type of mindguard behavior is tied to the stereotyping of outsiders. In 
negatively stereotyping outsiders and dissenters, the mindguards involved in the 
Columbia episode, such as William Readdy, act to marginalize and trivialize this outside 
input as haymaking. In an effort to act as one of NASA’s chief mindguards, Mr. Readdy 
quotes Teddy Roosevelt in his message to his team and indirectly to the larger audience 
he knew would undoubtedly read his letter. Readdy’s correspondence is full of the sort 
of language that reinforces the barrier between NASA and the outside world. Roosevelt’s 
words are worth repeating here to substantiate the assertion of Readdy acting as a 
mindguard. 

It is not the critic who counts; not the man who points out how the strong 
man stumbles, or where the doer of deeds could have done them better. 

The credit belongs to the man who is actually in the arena, who strives 
valiantly; who knows the great enthusiasms, the great devotions, and 
spends himself in a worthy cause; who, at best, knows the triumph of high 
achievement; and who, at worst, if he fails, at least fails while daring 
greatly, so that his place shall never be with those cold and timid souls 
who know neither victory nor defeat [emphasis added]. 177 

The message is clear; Mr. Readdy is relating the struggle of those who 
“strive valiantly...who spends himself in a worthy cause,” those who if they do not 
succeed, at least they tried something “daring,” to NASA. This lionizing of his own 
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organization is contrasted with Roosevelt’s “cold and timid souls who know neither 
victory nor defeat.” These people are unquestionably those same people Readdy 
previously called “instant experts” and critics. Here he is zealously guarding his people, 
and one could argue irrationally so. 

When investigating the existence of mindguards within NASA, a review 
of NASA’s actions prior to the reentry attempt of Columbia show that personnel at lower 
levels associated with the debris assessment were convinced the foam strike was 
inconsequential (a “maintenance” issue) and as such they did not pass anything but a 
unified, “we’re okay” position up the management chain. Thus, they served as 
mindguards. A concrete example of mindguard behavior is that exhibited by Leroy Cain, 
the STS-107 ascent and entry Flight Director. Mr. Cain, in rebuttal to Rodney Rocha’s 
previously quoted statement regarding his self-censorship, declared, “You are duty-bound 
as a member of this team to voice your concerns, in particular as they relate to safety of 
flight.” 178 Thus, Cain was acting as a mindguard for NASA, protecting itself against 
negative impressions of its culture and organization. 

The evidence presented above unmistakably shows that as with the 
Challenger calamity, groupthink existed within NASA at the time of the Columbia 
accident. As with Challenger , flawed decision-making led to the loss of seven astronauts 
and Columbia. As with Challenger , the nation’s faith in NASA was shaken to its core 
and still has not recovered. Lastly, the Diane Vaughan’s theory of risk normalization can 
be seen as a complementary and symbiotic mechanism to Jams’s groupthink. 
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V. CONCLUSIONS AND RECOMMENDATIONS 


A. OVERVIEW 

The authors’ Command, NUWC Division Newport, and Naval Sea Systems 
Command in general, as major technical entities in the specification, engineering, and 
management of critical U.S. Navy submarine and surface ship systems, is faced with 
tasks, challenges, and decision, which could ultimately have life-or-death consequences 
on a national or even international scale, just as is the case with NASA. The conclusions 
and recommendations that follow will reveal a variety of lessons-learned, both the 
glaringly evident and the subtle, that are applicable beyond NASA and the authors’ 
Command to other Department of Defense (DoD) activities. 

Any person who has paid attention to the trials and travails of the DoD in the last 
decade or so is well aware that one of the mantras of this world is to incorporate lessons- 
learned wherever and whenever possible, as an input towards achieving continuous 
improvement downstream. While this is often construed as a vain attempt to salvage 
some good from a DoD’s project’s poor outcome, there is truly significant value in 
capturing what worked and what did in order to feed efforts to maintain continuous 
improvement. There have been very few major (Acquisition Category (ACAT) I) 
programs that haven’t been held up as examples of DoD ineffectiveness, at some time or 
another, either in the press, by watchdogs groups, or Congress (especially in cases of 
Nunn-McCurdy breeches) during budget hearings. A cross-service subset of these 
programs includes the F/A-22 Raptor, the OV-22 Osprey, the LPD-17, the Future 
Combat System, Advanced Seal Delivery System, and a variety of other high profile 
programs. 

Thus, when reviewing NASA’s experiences and activities associated with the two 
shuttle losses, beyond the discrete conclusions that can be draw regarding NASA, there 
are generalized observations and recommendations can be made that would serve to aid 
the performance of other activities that pursue similar high-risk, large-scale, technically- 
complex projects within the confines of a large, dispersed, public bureaucracy. 
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B. CONCLUSION I 
1. Conclusion 

Risk acceptance and normalization of deviance cannot be allowed to become an 
embedded organizational behavior. 

The research of Dr. Diane Vaughan, and the further investigation undertaken in 
this paper, clearly shows that the acceptance of risk concurrent with the normalization of 
deviation leads organizations to lower the bar for risk analysis and to raise it when 
considering what deviations from the previously accepted norm require a pause in 
operations for detailed investigations. In the case of NASA, O-ring erosion and foam 
shedding were originally not allowed, but continued “success” in flight operations with 
these anomalies desensitized NASA management to the mounting risks associated with 
flying the shuttles “as is.” As this paper has shown. Dr. Richard Feynman, arguably one 
of the brightest minds of the twentieth century, provided early confirmation of risk 
acceptance as a problem within NASA in his personal observations which formed part of 
the Rogers Commission report. Feynman compared NASA risk acceptance to playing 
Russian roulette. This analogy is both stark and fitting. The dilution of original 
performance or design standards without comprehensive, risk-based analysis to back it up 
is to court disaster, as did NASA. Redefining acceptability based on successful 
performance with unintended abnormalities is not prudent. 

The CAIB stated that in the cases of both Challenger and Columbia , 

Anomalies that did not lead to catastrophic failure were treated as a source 
of valid engineering data that justified further flights...In both cases 
[Challenger and Columbia ] engineering analysis was incomplete and 
inadequate. Engineers understood what was happening, but they never 
understood why. 179 

Thus the CAIB, the Rogers Commission, and independent observers like Dr. 
Vaughan all have reached the same conclusion regarding risk normalization in high-risk, 
complex, technology-driven pursuits. 
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2. Recommendation 

Organizations that pursue high-risk, cutting-edge technological work should never 
redefine acceptable performance based on past performance with inadvertent deviations 
from established norms. Any risk assumption needs to be based upon in-depth analysis 
and objective assessment of risk probability and consequence of occurrence. 

Normalization of risk should not occur, ever. The slippery-slope of the gradual 
acceptance of the abnormal as normal results in a false sense of security and a blindness 
to the underlying problems inherent with the occurrence of a repeatable, yet seemly 
innocuous abnormality that varies from a system’s initial operational precepts and 
requirements. Diane Vaughan, in her presentation before the CAIB, provided some high- 
level recommendations on how to help prevent this sort of negative behavior within an 
organization. She told the Board that organizational leaders need to stay grounded, and 
to make sure they remain aware of the hazards of their own organization’s work 180 . She 
also stated that organizations need to ensure they don’t miss “signals.” That is, for 
example, O-ring erosion is a signal that the SRB system was not performing as designed, 
regardless of the “successful” outcome and should be analyzed further. All levels of an 
organization should be in sync with regards to the likelihood and consequences of risk. 
Dr. Feynman mentioned this explicitly in his conclusions to his appendix to the Rogers 
Report. All elements and organizational levels must be allowed to voice dissenting 
opinions and that there should be a cultural value to making sure no one is intimidated 
into silence. Conversely there needs to be respect for the accountability and 
responsibility inherent in management decisions, when based upon the open and rational 
assessment and assumption of risk. This recommendation is further reinforced by the 
follow-on recommendation regarding groupthink, below. On this point the CAIB 
provided guidance to NASA, which is extremely applicable to similar organizations. The 
CAIB noted that 

It is obvious but worth acknowledging that people who are marginal and 
powerless in organizations may have useful information or opinions that 
they don’t express. Even when these people are encouraged to speak, they 
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find it intimidating to contradict a leader’s strategy or a group consensus. 

Extra effort must be made to contribute all relevant information to 
discussions of risk. These strategies are important for all safety aspects, 
but especially necessary for ill-structured problems like O-rings and foam 
debris. Because ill-structured problems are less visible and therefore invite 
the normalization of deviance, they may be the most risky of all. 181 

A key organizational element that is required to counteract normalization of 
deviation is the existence of a robust and independent safety program and organization. 
This organizational construct is treated in more detail in a follow-on conclusion, below. 
But, it is important to note that in the case of the Columbia accident the CAIB 
recommended in their findings on the topic of deviance normalization that “A safety team 
must have equal and independent representation so that managers are not again lulled into 
complacency by shifting definitions of risk.” 182 

Safety programs should never be cut simply on basis of the project’s bottom line. 
Any reduction in safety should be taken in lock-step with a re-evaluation of the project’s 
overall goals and requirements. Reduction simply based on past performance on other 
projects is not sufficient justification for taking such action. 

C. CONCLUSION II 
1. Conclusion 

A shift in an organization’s precepts from proving a positive to proving a negative 
results in erosion of safety principals and supports a shift to unwarranted normalization of 
deviation. 

The analysis in this thesis has revealed that NASA’s cultural shift to proving it 
unsafe to fly the shuttle rather than confirming it was safe to fly, as was the case during 
the Apollo Program, contributed greatly to the demise of Challenger and Columbia. In 
the case of Challenger , Thiokol representatives felt NASA management’s insistence on 
proving the shuttle unsafe to fly in cold weather with O-ring blow-by was an impossible 
standard to meet. Under the conventional standard of proving a system safe before 
operation, there would have been plenty of unknowns stated to not allow Challenger to 

181 Columbia Accident Investigation Board, p. 203. 

182 Columbia Accident Investigation Board, p. 203. 
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launch. This cultural shift and the inherent risks it reintroduced to the Space Shuttle 
Program were noted by the CAIB with respect to Columbia. These findings apply to any 
similar organization, and pushing personnel to prove a negative as means of maintaining 
schedule and operations is a cultural rule that increases the risk of mission failure. The 
inability to disprove a system’s safe operation inherently leads to an increase in risk 
assumption. Furthermore, the normalization of deviation can lead to the inability to 
prove an unsafe condition and thus, a system is perceived as safe to operate. 

2. Recommendation 

System operations and schedules must be predicated upon proving a system is 
safe to operate and is effective, rather than the opposite. 

This recommendation is succinct and self-evident. Requiring organizational 
components to prove a system is safe to function instead of substantiating it is unsafe to 
operate helps to ensure all risks are identified, analyzed, and mitigated properly 
beforehand. Ensuring all levels and functions of an organization follow this dictum will 
mean that any unanswered questions or ill-understood risks will stop the march towards 
an event. In the case of DoD programs, this would serve to prevent Operational Test 
(OT) failures, and in the extreme case, loss of life as regrettably occurred in the V-22 
Osprey Program. It follows that examining all risks adequately prior to concurrence to 
move forward with an event or operation implies that normalization of deviation should 
not occur. 

D. CONCLUSION III 

1. Conclusion 

The existence of groupthink within an organization leads to a lower probability of 
mission success and intrinsically supports the undesired normalization of deviation and 
unjustified risk acceptance. 

This paper’s in-depth examination of the Challenger and Columbia incidents for 
evidence of groupthink clearly indicates that it existed within the NASA hierarchy at 
those times and shows the destructive consequences of not recognizing its presence and 
negating it. Without calling out groupthink by its name, the CAIB, in particular, invoked 
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several of Janis’s precepts and groupthink remedies, which follow below, in its 
recommendations. One prime example is their discussion of the importance of airing 
minority opinions and the use of a devil’s advocate. The CAIB stated “Organizations 
with strong safety cultures generally acknowledge that a leader’s best response to 
unanimous consent is to play devil’s advocate and encourage exhaustive debate...leaders 
failed to seek out such minority opinions. Imagine the difference if any Shuttle manager 
had simply asked, ‘Prove to me that Columbia has not been harmed.’” 183 

The examination of NASA’s behavior during the time of Challenger and 
Columbia clearly shows where all of the eight symptoms of groupthink existed within 
NASA and at times, its contractors. These symptoms resulted in NASA failing to plan 
for contingencies, neglecting to examine the risks of their preferred choices, 
demonstrating a clear selective information bias, and finally, failing to completely review 
possible alternatives and outcomes. The net results were the loss of two space shuttles 
and fourteen astronauts. Furthermore, some of these symptoms such as Excessive 
Rationalization directly support Diane Vaughan’s concurrent theories of risk assumption 
and normalization of deviance. 

2. Recommendation 

High-performing organizations pursuing technically-challenging goals with high 
risk and visibility should ensure that cultural norms and processes are established and 
maintained to root out and neutralize groupthink. 

The detailed implementation of this recommendation can best be summarized by 
Janis’s own counsel on the matter. Janis offers nine remedies to groupthink. 184 A 
detailed description of each recommendation can be found in Appendix D. 

1. Encourage critical thinking 

2. Leadership should attempt to remain impartial to ideas or proposals 

3. Use multiple subgroups in parallel with different leaders to work the same 
problem 

4. Reconvene the smaller subgroups to reach a combined decision 

183 Columbia Accident Investigation Board, p. 192. 

184 Janis, Victims of Groupthink: A Psychology Study of Foreign Policy, p. 204, Houghton Mifflin, 
Boston, 1972. 
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5. Each member of the group(s) should be empowered and authorized to 
discuss the group’s progress with trusted associates outside the “in-group”, 
but within the larger organization 

6. Outside expert opinion should be allowed. 

7. A devil’s advocate should be assigned within the group 

8. Take time to discuss potential opposing views and responses 

9. Have a “second chance” meeting prior to a final decision 

Janis noted that these steps do not guarantee that a perfect decision is made, but 
significantly increase the chances of reaching good one. Also, it is noted that these steps, 
particularly those that involve the voicing of concerns and the review by outside experts 
may lead to a prolonged decision-making process, which may increase time pressures. 
However, it is incumbent upon leadership to fully understand their organization’s culture 
and to work to incorporate at least some of the antidotes for groupthink in a manner that 
balances all mission requirements. 

E. CONCLUSION IV 

1. Conclusion 

A lack of an independent and sufficiently resourced safety program greatly 
increased the risk of catastrophic mishaps occurring. 

The Rogers Commission and the CAIB both issued firm findings and 
recommendations on the insufficient and atrophied safety programs in place during the 
times of Challenger and Columbia. The Rogers Commission spoke of a “silent” safety 
program, while the CAIB stated this silence had returned prior to the Columbia 's loss. 
Both investigative bodies strongly recommended the establishment of truly autonomous 
and independently funded safety and reliability organizations, with direct reporting to 
NASA Headquarters. NASA’s safety organization and their culture was described as 
complacent and filled with unjustified optimism. 185 Finally, the loss of in-house 


185 Columbia Accident Investigation Board, p. 180. 
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expertise and organizational downsizing due to budgetary pressures, combined with the 
outsourcing of key safety-related operations, further lessened NASA’s ability to conduct 
a proper safety program. 

The operations and fate of NASA’s safety program is echoed with occurrences of 
the same sort within the DoD community. Within NAVSEA, for example, safety 
programs are typically funded by the Program Offices which is acquiring the system or 
systems being overseen with the notable exceptions of the Submarine Safety (SUBSAFE) 
and reactor safety programs. Other than these high-performing safety functions, with 
their impeccable track records, there are few Program Executive Office (PEO) or higher 
level organizations that directly fund safety programs that conduct the detailed system or 
subsystem safety analyzes and assessments. Independent safety boards do exist, such as 
the Weapon System Explosives Safety Review Board (WSESRB), but they only review 
the safety products conducted by the lower-level organizations with the Program Office’s 
line of direction and funding. One of the authors of this paper has had the unfortunate 
experience of not one, but two different Program Offices stating that they “had paid 
enough for system safety,” and would not fund the recommended safety-related tasking 
for ordnance-related submarine systems. This sentiment held sway, despite the fact that 
there was a clear, objective need for “more safety.” Ultimately both Program Offices 
ended up expending more than the amount of resources originally requested for system 
safety, correcting deficiencies in products that a more robust safety program would have 
caught. They were also required to increase the amount of safety-related tasking in 
response to directives and recommendations from higher-level safety organizations. This 
sort of attitude reveals a certain lack of understanding of the need for and value of an 
independent safety organization. 

2. Recommendation 

Organizations pursuing high-risk, life-risking, technically-complex endeavors 
need to ensure that their safety program is truly independent and separately sourced from 
those activities it critiques. It cannot simply be a paper organizational chart which is not 
founded on reality. The safety program, like any overarching management or integrated 
engineering function, should be empowered to act. 
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Truly effective safety programs like the SUBSAFE program, which the CAIB 
held up as an example for NASA to investigate, more than pay for themselves in 
accidents avoided, lives not lost, programs not delayed, reputations untarnished, missions 
completed, and national admiration maintained. Empowerment by senior leadership 
leaves those in the safety community with a mandate to act autonomously and not 
consider themselves accountable to their work unit or center management. These 
functions, and the personnel performing them, must be distinct and inherently objective, 
free from any “product line” pressure to conform to schedule, budget, etc. In effect, they 
should be ombudsmen for the end-user, whether that is a sailor, a soldier, or an astronaut. 
Furthermore, management should not have more than one role or responsibility in an 
organizational structure. This is particularly true for safety and risk management 
personnel. While multiple roles and responsibility are often advantageous and 
economically-required in various engineering and management functions associated with 
large-scale engineering projects, the safety management activity needs to be shielded 
from this watering down of their focus, responsibilities, and allegiances. 

Within NAVSEA, the establishment of Technical Warrant Authority (TWA) has 
restored some of the autonomy and independent oversight of NAVSEA and PEO 
products. Warrant Holders, who come from a cross-section of NAVSEA activities and 
disciplines, have a direct covenant with the Commanding Officer of NAVSEA 
(COMNAVSEA). Each Warrant Holder has the ability to investigate serious technical, 
programmatic, and safety matters within their assigned areas of responsibility. They 
draw on the cross-functional expertise of lower-level managers and engineering staff. 
However, a majority of this staff is funded by the Program Offices for which the 
independent TWA has been assigned oversight of their products. This is a sub-optimal 
solution and seems to set the stage for competing allegiances. However, to date, despite 
some difficulties in implementation with the Program Offices, Warrant Holders have 
been able to effect positive and much needed independent assessments of various matters, 
including weapons and launcher systems safety. The size of the TWAs’ budget for 
executing their responsibilities has grown, and it is envisioned that further growth in 
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these resources will reinforce the Warrant Holders’ authority and independence. 
NAVSEA and PEO organizations, particularly Ship Construction Managers, are 
embracing the TWA construct. 

F. CONCLUSION V 

1. Conclusion 

Unrealistic expectations for a project’s milestone dates and unyielding pressure to 
meet those goals can combine to contribute to poor outcomes and serious mishaps. 

Both the Rogers Commission and the CAIB found that the Space Shuttle 
Program’s flight rate requirements and projections did not match a realistic assessment of 
what a safely obtainable flight rate should be. The CAIB in particular, took NASA to 
task for not setting flight rate expectations that were commensurate with available 
resources, and were adequately risk balanced. 

This sort of schedule driven pressure is rife within DoD, as projects push to meet 
programmatic schedule milestones in an effort to obtain the next big funding increment 
such as that when a program reaches Milestone C or the Full-Rate-Production (FRP) 
milestone. This pressure to meet a calendar date, rather than a level of system maturity 
and safety is also due to the need to synchronize with the artificial constraints of the 
Planning, Programming, Budgeting, and Execution (PPB&E) cycle. The equally poor 
outcomes can be seen in such programs as the V-22 Osprey, where nearly two dozen 
servicemen died in test/training accidents, and the falsification of V-22 maintenance 
records to support the FRP milestone approval was executed by military officials. To a 
lesser extent, DoD projects that fail miserably during testing due to a lack of design 
maturity and stability at the time of the “must happen” milestone can be traced to this 
issue. 

2. Recommendation 

Project leaders need to ensure that any operational tempo, milestone goals, or 
schedule drivers are balanced with the amount of resources available and the risk 
assessment of this balance makes certain that risks assumed are recognized, 
comprehended, and acceptable. 
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After reviewing the experiences of NASA with respect to this recommendation, 
the message and lesson-learned is clear and concise: to the maximum extent possible, a 
system development must be event-driven, not schedule-driven. Obviously, within the 
DoD arena, any organization must take into consideration the schedule aspects of their 
work. It will take enlightened leadership from all stakeholders to balance the statutory 
schedule requirements with a schedule that derives from event milestones that measure 
success, not simply time in the development cycle. 

G. CONCLUSION VI 

1. Conclusion 

Organizations that suffered from a lack of a consistent systems engineering 
approach and process to address design issues increase the risk of failure and unintended 
consequences. 

Based on the analysis completed to answer research question No. 2 of this thesis, 
it is clear that NASA, though one of the world’s preeminent science and engineering 
organization, had a lapse in the consistent application of a rigorous systems engineering 
process, where design changes as well as uncovered flaws, were not systematically 
investigated for “cascade effect” impacts and risks to other design features. Combine 
these inconsistent systems engineering approach with the normalization of deviance and 
risk assumption described by Vaughan, and the danger of faulty reasoning and design 
implementation goes up significantly. 

The Defensive Acquisition University (DAU) defines the systems engineering 
process as “a top-down comprehensive, iterative, and recursive problem solving process 
applied sequentially throughout all stages of development...” 186 Figure 3, below provide 
a flow chart of the fundamental process. As this paper has described, the ultimate design 
of the Space Shuttle was not that which was originally conceived. In order for the Space 
Shuttle Program to remain politically viable and palatable, design compromises were 
made without the proper realistic, recursive engineering and risk analyses being 


186 Systems Engineering Fundamentals, Defense Acquisition University Press, Fort Belvoir, VA. 
January 2001. p. 5. 
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conducted to assess the impact of these concessions. The end result was a sub-optimal 
design that in hindsight had clearly fatal flaws that were poorly understood. 



The change from a two-stage, piloted booster-orbiter design to the ultimate design 
of orbiter, external fuel tank, and solid-propellant boosters set in motion a cascade of 
design risks. First, there was the shift from the cryogenic-liquid propulsion systems so 
successfully used by NASA to the SRB implementation from a land-locked vendor who 
had no choice but to ship the SRBs in sections. This introduced the infamous O-ring 
design that doomed Challenger. Then, as a result of the step away from the two-stage, 
individually-piloted shuttle system, the size of the orbiter increased and its former 
straight-winged design became the delta-wing implementation of record. Unfortunately 
the shuttle’s Thermal Protection System (i.e., the tiles) design was well-suited for the 
straight-wing version of the orbiter, not the complex-angle, delta-wing concept ultimately 
flown. Finally, the shift to the external fuel tank and SRBs introduced the foam-shedding 
phenomenon with the initial requirement that no foam be shed, thus allowing the use of 

Systems Engineering Fundamentals, p. 6. 
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the rather fragile thermal tiles that were the optimal TPS solution for an orbiter design 
that no longer existed. The very first shuttle flight initially raised the alarm, when a large 
number of thermal tiles required replacement. However, as history as shown, the 
continued success of shuttle missions with tile loss and failure, led NASA toward the 
normalization of deviance so well-defined above. None of these design changes were 
subjected to the sort of rigorous analysis required for mission-critical systems with lives 
at risk. Combine this shortcoming with risk normalization, and it was only a matter of 
time before a serious engineering failure occurred. 

In the case of DoD programs, the experience of one of the authors of this work 
will suffice to show a phenomenon similar to that found in NASA with respect to the 
systems engineering process. During the development of a new family of submarine 
acoustic countermeasures, used for torpedo evasion and threat sonar system avoidance, 
multiple unanticipated hardware failures occurred during developmental and operational 
testing. The failures all dealt with the effects of water in-rush into the countermeasure’s 
launch tube during the launch process. The initial failure was the shearing of the small 
plastic propeller used to provide the minimal lift required for the countermeasures to 
hover after launch. Since a version of this prop-driven hover system with a metal 
propeller had been used successfully in previous countermeasures, the metallic version 
was implemented by the contractor without completely reassessing the effect this change 
may have on other design components with the countermeasure. That is, they did not 
properly employ the systems engineering process to re-evaluate the consequences and 
risks of their design modification. 

The next round of testing, where the contractor expected everything to go well, 

yielded failures of the gear train in the hover motor. Now that the propeller was not 

breaking, the higher loads on it were transmitted to its shaft, and the shaft plastically 

deformed, binding the hover system. The shaft design was modified and during the next 

series of tests the hardened shaft transmitted high loads to the hover motor’s gear train, 

which failed. Thus, the seemingly sound and innocuous change of materials, based on 

previous success and on what in effect is a small, model airplane propeller and hover 

motor, yielded a series of costly test failures and schedule delays and threatened the 

delivery of critical submarine self-defense capability upgrades. 
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2. Recommendation 

Organizations pursuing highly complex system or system-of-systems designs 
should employed a documented, consistent systems engineering process. 

The implementation of this recommendation is straightforward. Most, if not all 
activities, have systems engineering expertise within their organization. This expertise 
should be identified, and utilized within the constructs of a defined, documented systems 
engineering process. A systems engineering management plan should be developed, or 
updated if one already exists. This document needs to be a living document that is 
tailored to meet the evolutionary requirements of the organization’s mission and goals. 
Proper training and professional development of systems engineers is of the utmost 
importance. With the increasing complexity of DoD projects and the concurrent 
implementation of system-of-systems, capability-based solution requirements, the need to 
ensure that system design changes are evaluated in a comprehensive, iterative process, to 
ensure the law of unintended consequences does not take hold, nor the risk to personnel 
or mission success increased without identification and assessment of this risk. 

H. CONCLUSION VII 

1. Conclusion 

An organization’s structure must be compatible with mission requirements. 

The major problem with NASA Space Shuttle Program’s organizational structure 
was a lack of overarching programmatic and technical authority resident in a top-level, 
cross-location, cross-functional position and staff. Both the Rogers Commission and the 
CAIB identified organizational structure flaws and responsibility mismatches as 
contributors to their respective accidents. Because of the lack of a central programmatic 
and technical organization, not aligned with any one NASA center, there was no one 
seeing the “big picture” and assessing the implications of the integration of the various 
subsystems within the STS - fuel tank, orbiter, and boosters. Furthermore, when 
specialized splinter teams were formed to assess problems and risks, they were not 
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properly empowered nor chartered to successfully complete their tasks. A prime example 
of this was the Debris Assessment Team, formed to investigate and report out on the 
implications of the foam strike on Columbia. 

For organizations like NASA the message is equally clear. The DoD wrestled 
with the problem of establishing the sort of top-level organizational structure that could 
align programmatic and technical issues, and do so at a high enough level to manage all 
facets of the integration of complex systems of systems. The restructuring of the DoD 
that resulted from the work of Packard Commission, the passage of the Goldwater- 
Nichols act, and other more recent efforts (DoD 5000 series restructuring) has attempted 
to solve this problem with mixed success. One only needs to examine the amount of 
problems and delays that result in the integration of such complex systems, like the U.S. 
Navy’s Seawolf Class submarine, where one Program Office was responsible for the 
ship’s acquisition, but several others are responsible for the multitude of Government 
Furnished Equipment (GFE) subsystems integrated into the ship’s design. 

2. Recommendation 

Organizations need to ensure that there is an overarching integration activity or 
function for operations and that this group has the authority and responsibility for the top- 
level integration of all elements within a project. 

This organization needs to have the autonomy, resources, and mandate to direct 
high-level, interdisciplinary teams in pursuit of safe and successful operations. As a 
corollary to this dictum, any specialized “Tiger Teams’’ need to have the appropriate 
charter with clear roles, responsibilities, and authority as required to complete their task. 
As these sorts of teams are typically established when there is a major concern or 
problem within an organization, it is crucial that the aforementioned framework for the 
team’s success is in place. 

With respect to DoD-type of large-scale programs, the continued maturation and 
implementation of the Integrated Product and Process Development (IPPD) teams for 
cross-functional, concurrent design, utilizing fundamental systems engineering principals, 
will help alleviate the problem of organizational structure mismatch with mission 
function and performance requirements. For example, the Virginia Class submarine 
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program greatly increased the use of the IPPD process compared to preceding submarine 
acquisition programs. While far from perfect, the widespread use of System Integration 
Teams and Process Integration Teams through all aspects of the Virginia Class design, 
construction, test, and lifecycle support aspects resulted in a much shorter lead-ship 
construction delivery timeline than previous submarine classes. An example at the detail 
level is various logistics products such as ordnance handling manuals, Maintenance 
Requirement Cards (MRCs), and Allowance Parts Lists (APLs) were delivered with 
greater fidelity prior to the lead ship’s delivery, rather than after it, as was the case of the 
Seawolf Class. Also, in the instance of shock qualification of the External 
Countermeasure Launcher (ECL), the Virginia Class system was shock test and qualified 
prior to lead ship delivery, rather than after it like the Seawolf Class. Most telling is that 
USS Virginia (SSN 774) was delivered six years after ordering, while USS Seawolf (SSN 
21) was delivered 8.5 years after ordering, and was subject to an extensive construction 
and test period due to multiple series design and workmanship issues. The most costly 
and schedule-consuming ones included weld cracks in pressure hull sections and the loss 
of Wide Aperture Array panels during at-sea testing. 

I. CONCLUSION SUMMARY 

The authors of this work found evidence of 

1) Risk acceptance and normalization of deviance. 

2) A shift from proving a positive to proving a negative (safe versus not 
safe to fly). 

3) Groupthink. 

4) Lack of an independent and adequately resourced safety program. 

5) Unrealistic project schedule and milestone dates. 

6) Lack of a consistent system engineering process. 

in the behavior of NASA during the period spanning the Challenger and Columbia 
accidents. All six of these phenomena were present thought out and are indicative of 
cultural defects with NASA. 
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In order to address these cultural deficiencies, the authors provide recommendations to 


1) Never redefine acceptable performance based on past performance and 
to ensure risk assumption is based upon in-depth analysis and 
objective assessment of risk probability and consequences of 
occurrence. 

2) Consistently maintain the requirement to prove a system is a safe and 
effective to operative, rather than the opposite. 

3) Reveal and neutralize groupthink. 

4) Ensure safety programs are independent and separately resourced from 
those activities they evaluate 

5) Project schedule, milestones and operational tempo should be balanced 
with the amount of available resources and be based upon an impartial, 
comprehensive risk assessment. 

6) Utilize a documented, consistent systems engineering process. 


101 



THIS PAGE INTENTIONALLY LEFT BLANK 


102 



APPENDIX A. PRESIDENTIAL COMMISSION ON THE SPACE 
SHUTTLE CHALLENGER ACCIDENT RECOMMENDATIONS 


The Commission has conducted an extensive investigation of the Challenger 
accident to determine the probable cause and necessary corrective actions. Based on the 
findings and determinations of its investigation, the Commission has unanimously 
adopted recommendations to help assure the return to safe flight. 

The Commission urges that the Administrator of NASA submit, one year from 
now, a report to the President on the progress that NASA has made in effecting the 
Commission's recommendations set forth below: 

-I- 

Design. The faulty Solid Rocket Motor joint and seal must be changed. This 
could be a new design eliminating the joint or a redesign of the current joint and seal. No 
design options should be prematurely precluded because of schedule, cost, or reliance on 
existing hardware. All Solid Rocket Motor joints should satisfy the following 
requirements: 

• The joints should be fully understood, tested, and verified. 

• The integrity of the structure and of the seals of all joints should be not less 
than that of the case walls throughout the design envelope. 

• The integrity of the joints should be insensitive to: 

o Dimensional tolerances, 
o Transportation and handling, 
o Assembly procedures, 
o Inspection and test procedures, 
o Environmental effects, 
o Internal case operating pressure, 
o Recovery and reuse effects, 
o Flight and water impact loads. 

• The certification of the new design should include: 
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o Tests which duplicate the actual launch configuration as closely as 
possible. 

o Tests over the full range of operating conditions, including temperature. 

• Full consideration should be given to conducting static firings of the exact 
flight configuration in a vertical attitude. 

Independent Oversight. The Administrator of NASA should request the 
National Research Council to form an independent Solid Rocket Motor design oversight 
committee to implement the Commission's design recommendations and oversee the 
design effort. This committee should: 

• Review and evaluate certification requirements. 

• Provide technical oversight of the design, test program, and certification. 

• Report to the Administrator of NASA on the adequacy of the design and make 
appropriate recommendations. 

-II- 

Shuttle Management Structure. The Shuttle Program Structure should be 
reviewed. The project managers for the various elements of the Shuttle program felt 
more accountable to their center management than to the Shuttle program organization. 
Shuttle element funding, work package definition and vital program information 
frequently bypass the National STS (Shuttle) Program Manager. 

A redefinition of the Program Manager's responsibility is essential. This 
redefinition should give the Program Manager the requisite authority for all ongoing STS 
operations. Program funding and all Shuttle Program work at the centers should be 
placed clearly under the Program Manager's authority. 

Astronauts in Management. The Commission observes that there appears to be 
a departure from the philosophy of the 1960s and 1970s relating to the use of astronauts 
in management positions. These individuals brought to their positions flight experience 
and a keen appreciation of operations and flight safety. 
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• NASA should encourage the transition of qualified astronauts into agency 
management positions. 

• The function of the Flight Crew Operations director should be elevated in the 
NASA organization structure. 

Shuttle Safety Panel. NASA should establish an STS Safety Advisory Panel 
reporting to the STS Program Manager. The Charter of this panel should include Shuttle 
operational issues, launch commit criteria, flight rules, flight readiness and risk 
management. The panel should include representation from the safety organization, 
mission operations, and the astronaut office. 

- Ill - 

Criticality Review and Hazard Analysis. NASA and the primary Shuttle 
contractors should review all Criticality 1, 1R, 2, and 2R items and hazard analyses. This 
review should identify those items that must be improved prior to flight to ensure mission 
safety. An Audit Panel, appointed by the National Research Council, should verify the 
adequacy of the effort and report directly to the Administrator of NASA. 

-IV- 

Safety Organization. NASA should establish an Office of Safety, Reliability and 
Quality Assurance to be headed by an Associate administrator, reporting directly to the 
NASA Administrator. It would have direct authority for safety, reliability, and quality 
assurance throughout the agency. The office should be assigned the work force to ensure 
adequate oversight of its functions and should be independent of other NASA functional 
and program responsibilities. 

The responsibilities of this office should include: 

• The safety, reliability and quality assurance functions as they relate to all 
NASA activities and programs. 

• Direction of reporting and documentation of problems, problem resolution 
and trends associated with flight safety. 
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- V- 


Improved Communications. The Commission found that Marshall Space Flight 
Center project managers, because of a tendency at Marshall to management isolation, 
failed to provide full and timely information bearing on the safety of flight 51-L to other 
vital elements of Shuttle program management. 

• NASA should take energetic steps to eliminate this tendency at Marshall 
Space Flight Center, whether by changes of personnel, organization, 
indoctrination or all three. 

• A policy should be developed which governs the imposition and removal 
of Shuttle launch constraints. 

• Flight Readiness Reviews and Mission Management Team meetings 
should be recorded. 

• The flight crew commander, or a designated representative, should attend 
the Flight Readiness Review, participate in acceptance of the vehicle for 
flight, and certify that the crew is properly prepared for flight. 

-VI- 

Landing Safety. NASA must take actions to improve landing safety. 

• The tire, brake and nosewheel steering systems must be improved. These 
systems do not have sufficient safety margin, particularly at abort landing 
sites. 

• The specific conditions under which planned landings at Kennedy would 
be acceptable should be determined. Criteria must be established for tires, 
brakes and nosewheel steering. Until the systems meet those criteria in 
high fidelity testing that is verified at Edwards, landing at Kennedy should 
not be planned. 

• Committing to a specific landing site requires that landing area weather be 
forecast more than an hour in advance. During unpredictable weather 
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periods at Kennedy, program officials should plan on Edwards landings. 
Increased landings at Edwards may necessitate a dual ferry capability. 

-VII- 

Launch Abort and Crew Escape. The Shuttle program management considered 
first-stage abort options and crew escape options several times during the history of the 
program, but because of limited utility, technical infeasibility, or program cost and 
schedule, no systems were implemented. The Commission recommends that NASA: 

• Make all efforts to provide a crew escape system for use during controlled 
gliding flight. 

• Make every effort to increase the range of flight conditions under which 
an emergency mnway landing can be successfully conducted in the event 
that two or three main engines fail early in ascent. 

- VIII - 

Flight Rate. The nation's reliance on the Shuttle as its principal space launch 
capability created a relentless pressure on NASA to increase the flight rate. Such reliance 
on a single launch capability should be avoided in the future. 

NASA must establish a flight rate that is consistent with its resources. A firm 
payload assignment policy should be established. The policy should include rigorous 
controls on cargo manifest changes to limit the pressures such changes exert on schedules 
and crew training. 

-IX- 

Maintenance Safeguards. Installation, test, and maintenance procedures must be 
especially rigorous for Space Shuttle items designated Criticality 1. NASA should 
establish a system of analyzing and reporting performance trends of such items. 

Maintenance procedures for such items should be specified in the Critical Items 
List, especially for those such as the liquid-fueled main engines, which require unstinting 
maintenance and overhaul. 
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With regard to the Orbiters, NASA should: 


• Develop and execute a comprehensive maintenance inspection plan. 

• Perform periodic structural inspections when scheduled and not permit 
them to be waived. 

• Restore and support the maintenance and spare parts programs, and stop 
the practice of removing parts from one Orbiter to supply another. 

Concluding Thought 

The Commission urges that NASA continue to receive the support of the 
Administration and the nation. The agency constitutes a national resource that plays a 
critical role in space exploration and development. It also provides a symbol of national 
pride and technological leadership. 

The Commission applauds NASA's spectacular achievements of the past and 
anticipates impressive achievements to come. The findings and recommendations 
presented in this report are intended to contribute to the future NASA successes that the 
nation both expects and requires as the 21st century approaches. 
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APPENDIX B. COLUMBIA ACCIDENT INVESTIGATION 
BOARD RECOMMENDATIONS 

PART ONE - THE ACCIDENT 

Thermal Protection System 

R3.2-1 Initiate an aggressive program to eliminate all External Tank Thermal 
Protection System debris-shedding at the source with particular emphasis on the region 
where the bipod struts attach to the External Tank. 

R3.3-2 Initiate a program designed to increase the Orbiter’s ability to sustain 
minor debris damage by measures such as improved impact-resistant Reinforced Carbon- 
Carbon and acreage tiles. This program should determine the actual impact resistance of 
current materials and the effect of likely debris strikes. 

R3.3-1 Develop and implement a comprehensive inspection plan to determine the 
structural integrity of all Reinforced Carbon-Carbon system components. This inspection 
plan should take advantage of advanced non-destructive inspection technology. 

R6.4-1 For missions to the International Space Station, develop a practicable 
capability to inspect and effect emergency repairs to the widest possible range of damage 
to the Thermal Protection Sys-tem, including both tile and Reinforced Carbon-Carbon, 
taking advantage of the additional capabilities available when near to or docked at the 
International Space Station. 

For non-Station missions, develop a comprehensive autonomous (independent of 
Station) inspection and repair capability to cover the widest possible range of damage 
scenarios. 

Accomplish an in-orbit Thermal Protection System inspection, using appropriate 
assets and capabilities, early in all missions. 

The ultimate objective should be a fully autonomous capability for all missions to 
address the possibility that an International Space Station mission fails to achieve the 
correct orbit, fails to dock successfully, or is damaged during or after undocking. 
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R3.3-3 To the extent possible, increase the Orbiter’s ability to successfully re¬ 
enter Earth’s atmosphere with minor leading edge structural sub-system damage. 

In order to understand the true material characteristics of Reinforced Carbon- 
Carbon components, develop a comprehensive database of flown Reinforced Carbon- 
Carbon material characteristics by destructive testing and evaluation. 

R3.3-5 Improve the maintenance of launch pad structures to minimize the 
leaching of zinc primer onto Reinforced Carbon-Carbon components. 

R3.8-1 Obtain sufficient spare Reinforced Carbon-Carbon panel assemblies and 
associated support components to ensure that decisions on Reinforced Carbon-Carbon 
maintenance are made on the basis of component specifications, free of external 
pressures relating to schedules, costs, or other considerations. 

R3.8-2 Develop, validate, and maintain physics-based computer models to 
evaluate Thermal Protection System damage from debris impacts. These tools should 
provide realistic and timely estimates of any impact damage from possible debris from 
any source that may ultimately impact the Orbiter. Establish impact damage thresholds 
that trigger responsive corrective action, such as in-orbit inspection and repair, when 
indicated. 

Imaging 

R3.4-1 Upgrade the imaging system to be capable of providing a minimum of 
three useful views of the Space Shuttle from liftoff to at least Solid Rocket Booster 
separation, along any expected ascent azimuth. The operational status of these assets 
should be included in the Launch Commit Criteria for future launches. Consider using 
ships or aircraft to provide additional views of the Shuttle during ascent. 

R3.4-2 Provide a capability to obtain and downlink high-resolution images of the 
External Tank after it separates. 

R3.4-3 Provide a capability to obtain and downlink high-resolution images of the 
underside of the Orbiter wing leading edge and forward section of both wings. 
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R6.3-2 Modify the Memorandum of Agreement with the National Imagery and 
Mapping Agency to make the imaging of each Shuttle flight while on orbit a standard 
requirement. 

Orbiter Sensor Data 

R3.6-1 The Modular Auxiliary Data System instrumentation and sensor suite on 
each Orbiter should be maintained and updated to include current sensor and data 
acquisition technologies. 

R3.6-2 The Modular Auxiliary Data System should be redesigned to include 
engineering performance and vehicle health information, and have the ability to be 
reconfigured during flight in order to allow certain data to be recorded, telemetered, or 
both as needs change. 

Wiring 

R4.2-2 As part of the Shuttle Service Life Extension Program and potential 40- 
year service life, develop a state-of-the-art means to inspect all Orbiter wiring, including 
that which is inaccessible. 

Bolt Catchers 

R4.2-1 Test and qualify the flight hardware bolt catchers. 

Closeouts 

R4.2-3 Require that at least two employees attend all final closeouts and intertank 
area hand-spraying procedures. 

Micrometeoroid and Orbital Debris 

R4.2-4 Require the Space Shuttle to be operated with the same degree of safety 
for micrometeoroid and orbital debris as the degree of safety calculated for the 
International Space Station. Change the micrometeoroid and orbital debris safety criteria 
from guidelines to requirements. 
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Foreign Object Debris 

R4.2-5 Kennedy Space Center Quality Assurance and United Space Alliance must 
return to the straightforward, industry-standard definition of “Foreign Object Debris” and 
eliminate any alternate or statistically deceptive definitions like “processing debris.” 


PART TWO - WHY THE ACCIDENT OCCURRED 

Scheduling 

R6.2-1 Adopt and maintain a Shuttle flight schedule that is consistent with 
available resources. Although schedule deadlines are an important management tool, 
those deadlines must be regularly evaluated to ensure that any additional risk incurred to 
meet the schedule is recognized, understood, and acceptable. 

Training 

R6.3-1 Implement an expanded training program in which the Mission 
Management Team faces potential crew and vehicle safety contingencies beyond launch 
and ascent. These contingencies should involve potential loss of Shuttle or crew, contain 
numerous uncertainties and unknowns, and require the Mission Management Team to 
assemble and interact with support organizations across NASA/Contractor lines and in 
various locations. 

Organization 

R7.5-1 Establish an independent Technical Engineering Authority that is 
responsible for technical requirements and all waivers to them, and will build a 
disciplined, systematic approach to identifying, analyzing, and controlling hazards 
throughout the life cycle of the Shuttle System. The independent technical authority does 
the following as a minimum: 

• Develop and maintain technical standards for all Space Shuttle Program 
projects and elements 

• Be the sole waiver-granting authority for all technical standards 
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• Conduct trend and risk analysis at the sub-system, system, and enterprise 
levels 

• Own the failure mode, effects analysis and hazard reporting systems 

• Conduct integrated hazard analysis 

• Decide what is and is not an anomalous event 

• Independently verify launch readiness 

• Approve the provisions of the re-certification program called for in 
Recommendation R9.1 -1. 

The Technical Engineering Authority should be funded directly from NASA 
Headquarters, and should have no connection to or responsibility for schedule or program 
cost. 

R7.5-2 NASA Headquarters Office of Safety and Mission Assurance should have 
direct line authority over the entire Space Shuttle Program safety organization and should 
be independently resourced. 

R7.5-3 Reorganize the Space Shuttle Integration Office to make it capable of 
integrating all elements of the Space Shuttle Program, including the Orbiter. 


PART THREE - A LOOK AHEAD 
Organization 

R9.1-1 Prepare a detailed plan for defining, establishing, transitioning, and 
implementing an independent Technical Engineering Authority, independent safety 
program, and a reorganized Space Shuttle Integration Office as described in R7.5-1, 
R7.5-2, and R7.5-3. In addition, NASA should submit annual reports to Congress, as part 
of the budget review process, on its implementation activities. 
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Re-certification 


R9.2-1 Prior to operating the Shuttle beyond 2010, develop and conduct a vehicle 
re-certification at the material, component, subsystem, and system levels. Re¬ 
certification requirements should be included in the Service Life Extension Program. 

Closeout Photos/Drawing System 

RIO.3-1 Develop an interim program of closeout photographs for all critical sub¬ 
systems that differ from engineering drawings. Digitize the close-out photograph system 
so that images are immediately available for in-orbit troubleshooting. 

RIO.3-2 Provide adequate resources for a long-term program to upgrade the 
Shuttle engineering drawing system including: 

• Reviewing drawings for accuracy 

• Converting all drawings to a computer-aided drafting system 

• Incorporating engineering changes 
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APPENDIX C. GROUPTHINK DEFINED 


Groupthink is the term coined by the noted Yale research psychologist, Irving L. 
Janis, to describe the phenomenon by which a talented, intelligent, high-performing, and 
usually high-powered group makes horrible decisions. Janis defined groupthink as “a 
quick and easy way to refer to a mode of thinking that persons engage in when they are 
deeply involved in a cohesive in-group, when concurrence-seeking becomes so dominant 
that it tends to override critical thinking or realistic appraisal of alternative courses of 
action.” 188 Janis developed the theory of groupthink in an attempt to explain how 
seemingly rational, exceptionally intellectually-talented people can collectively make 
very poor decisions. Janis looked at the case of the United State’s action, or lack thereof, 
prior to the Japanese attack on Pearl Harbor, the Kennedy administration’s decisions 
regarding the Bay of Pigs, and the Johnson administration’s escalation of the Vietnam 
War, among others. In the case of the Bay of Pigs fiasco, Janis was seeking rationale as 
to why, as Janis put it, “one of the greatest arrays of intellectual talent in the history of 
American government - Dean Rusk, Robert McNamara, Douglas Dillon, Robert 
Kennedy, McGeorge Bundy, Arthur Schlesinger, Allen Dulles...” 189 collectively 
blundered to the point that President Kennedy stated, “How could we have been so 
stupid?” 190 Janis felt certain that simple stupidity was not the answer, nor was a study of 
the behavior of individuals in the in-group likely to provide true insight. So, after 
rigorously exploring group dynamics through review of the aforementioned pivotal 
episodes in history and other case studies, the conduct of experimental situations, and the 
review of vast amounts of documentation, Janis derived groupthink as a theory that fit 
consistently with the facts and records of the decision-making processes and personalities 
he studied. Over the course of the 1970’s and early 1980’s Janis further developed and 
structured his groupthink construct. 

Janis instructs us that there are three antecedent conditions for the development of 
groupthink to occur. These precursors are: a highly cohesive group, leader preference 

188 Janis, I.L., Groupthink, 2 nd edition, p.8, Houghton Mifflin, Boston, 1982. 

189 Janis, I.L., Victims of Groupthink: A Psychology Study of Foreign Policy, p.173. 

190 Janis, Victims of Groupthink: A Psychology Study of Foreign Policy, p. 173. 
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for a certain decision, and the insulation of the group from qualified, outside opinions. 191 
Janis described eight symptoms of groupthink and placed them in three category types. 
Type I symptoms are those that reveal an overestimation of the group with respect to its 
power and morality, Type II symptoms are those that show closed-mindedness, and Type 
III symptoms are those that expose pressures towards uniformity within the group. 192 
There are two Type I symptoms, two Type II, and four Type III. 

The Type I groupthink symptoms are (1) an illusion of invulnerability and (2) an 
unquestioned belief in the group’s inherent morality. With a shared illusion of 
invulnerability, the group, or a majority of its members display a remarkable degree of 
over-optimism and risk assumption. In the words of Janis, this collective sense of 
invincibility “causes them [the in-group] to fail to respond to clear warnings of 
danger.” 193 When the group believes it has an inherent morality, the members are 
disposed to overlook the moral or ethical consequences of their decisions. 194 

Type II symptoms of groupthink are (3) stereotyped negative views of rivals or 
anyone with a competing or contrary opinion, and (4) the collective formation of 
rationalizations that write off warnings and similar negative feedback. With the 
occurrence of stereotyped views of any “opponents”, the group deems the opposition too 
weak or stupid to understand the problem or deal with it successfully. 195 Rationalizations 
that dismiss warnings serve to block members of the group from reviewing data or other 
signs that would lead them to reconsider their assumptions before recommitting 
themselves to those suppositions. 

The Type III indicators of groupthink having taken hold within a group are (5) 
self-censorship of deviations, (6) direct pressure on the membership to maintain 
conformity, (7) a shared illusion of unanimity, and (8) the emergence of self-appointed 

191 G. Moorhead, R. Ference, and C. Neck, Group Decision Fiascoes Continue: Space Shuttle 
Challenger and a Revised Groupthink Framework , p. 541, Human Relations, Vol. 44, No. 6, 1991. 

192 C. Ferraris, and R. Carveth, NASA and the Columbia Disaster: Decision-making by Groupthink?, 
p. 2, Proceedings of the 2003 Association for Business Communications Annual Convention, 2003. 

193 Janis, Victims of Groupthink: A Psychology Study of Foreign Policy, p. 175. 

194 I. L. Janis, “Groupthink Among Policy Makers,” Sanctions for Evil, ed. N. Sanford and C. 
Comstock, p. 77, Jossey-Bass, San Francisco, 1971. 

195 Moorhead, et al. Group Decision Fiascoes Continue: Space Shuttle Challenger and a Revised 
Groupthink Framework, p. 543. 
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“mindguards.” 196 When self-censorship exists, group members withhold dissenting 
views, counter-arguments, and misgivings over the chosen path. Groups that are infected 
with groupthink will, as Janis put it, “exert direct pressure on any member who expresses 
strong arguments against any of the group’s stereotypes, illusions, or commitments, 
making clear that this type of dissent is contrary to what is expected of all loyal 
members.” 197 With a shared illusion of unanimity manifested, a cohort’s membership 
falsely perceives that everyone agrees with the group’s decisions; silence is taken as 
consent. Finally, any self-appointed mindguards that arise from within the group will act 
to protect the collective from negative information that might threaten the group’s 
cohesion or complacency. A classic example of a mindguard is Robert F. Kennedy 
behavior during the run-up to the Bay of Pigs invasion. During a party for his wife, 
Kennedy confronted Arthur Schlesinger, who was opposed to the invasion plan. After 
Schlesinger had explained his position, Kennedy responded with: 

You may be right or you may be wrong, but the President has made his mind up. 
Don’t push it any further. Now is the time for everyone to help him all they can. 198 

Table 1, below, provides a succinct listing of the symptoms of groupthink. 


1911 Janis, Victims of Groupthink: A Psychology Study of Foreign Policy, p. 176. 

197 Janis, Groupthink, p. 174. 

198 Janis, Groupthink, p. 41. 
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Type 

Symptom 

Manifestation 

I 

Illusion of Invulnerability 

Members ignore obvious danger, take extreme 
risk, and are overly optimistic 

Unquestioned Belief in the 
Groups Inherent Morality 

Members believe their decisions are morally 
correct, ignoring the ethical consequences of 
their decisions 

II 

Excessive Stereotyping 

The group constructs negative stereotypes of 
rivals outside the group 

Rationalization or Discount 
Warnings 

Members discredit and explain away warning 
contrary to group thinking 

III 

Self-Censorship of 
Deviations 

Members withhold their dissenting views and 
counter-arguments 

Direct Pressure on a Member 
for Conformity 

Members pressure any in the group who express 
arguments against the group's stereotypes, 
illusions, or commitments, viewing such 
opposition as disloyalty 

A Shared Illusion of 
Unanimity 

Members perceive falsely that everyone agrees 
with the group's decision; silence is seen as 
consent 

The emergence of a self- 
appointed “Mindguard” 

Some members appoint themselves to the role of 
protecting the group from adverse information 
that might threaten group complacency 


Table 1- Group think Symptoms 


Defective decision-making as the outcome of groupthink can take several forms. 
They include failure to completely consider alternatives, no re-examination of 
alternatives, rejection of expert opinion, the dismissal of negative information, and the 
lack of contingency plans. 199 Figure 3, below provides a depiction of Jams’ groupthink 
model. This fully developed framework will now be applied to the Challenger and 
Columbia incidents to determine whether the evidence exits to reasonably conclude that 
groupthink was at work at NASA. 


199 Janis, Groupthink, p. 145. 
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APPENDIX D. GROUPTHINK REMEDIES 


Janis’s nine remedies for groupthink are revealed in greater detail below and are 
suggested for use as tools to preclude groupthink from taking hold in an organization. 

1. Encourage critical thinking 

The organization must maintain an atmosphere where all members are allowed to 
express their opinions and concerns without fear of pressure or resentment. Leadership 
should accept minority opinions and dissent without any disapproving feedback, even in 
the form of gestures or body language. 

2. Leadership should attempt to remain impartial to ideas or proposals 

It is often observed and experienced by the authors of this paper that when a 
leader expresses a preference before the group, the group members often act to concur 
with the leadership preference, whether they consciously do so or not. This phenomenon 
short-circuits the critical thinking process. Leaders need to ensure they don’t show bias 
for or against any solutions early in the process. This encourages the group to conduct an 
open inquiry of wide-ranging action alternatives. 

3. Use multiple subgroups in parallel with different leaders to work the 
same problem 

Different subgroups with diverse leadership tend to explore differing alternatives 
under varied leadership styles. This will likely result in a broader spectrum of solutions 
and criticisms being obtained. 

4. Reconvene the smaller subgroups to reach a combined decision 

As with the use of smaller subsets of the larger group to work the problem, these 
smaller groups should reassembled to collaboratively assemble the range of proposals, 
risk, and criticisms generated in the subgroups. This is likely to yield a wide-ranging 
spectrum of possible alternatives for action. 
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5. Each member of the group(s) should be empowered and authorized to 
discuss the group’s progress with trusted associates outside the “in-group”, but 
within the larger organization 

While ensuring that the “outsider” is trustworthy, the discussion of the group’s 
efforts with someone outside of the collective, yet understanding of the larger 
organization’s mission and needs, will likely bring some fresh idea and views to the 
problem. This will help counteract any tendency towards narrow-mindedness, even 
within the subgroups. 

6. Outside expert opinion should be allowed 

The group needs to embrace the idea that outside experts should be allowed to 
provide periodic assessments and “sanity checks” of the groups ideas and actions. These 
external specialists will hopefully challenge the group’s ideas, assumptions, and 
undertakings so that the risk of overlooking something crucial is minimized. 

7. A devil’s advocate should be assigned within the group 

A member of the group, usually in a rotational role, should act as a devil’s 
advocate to critically appraise proposals, ideas, and to basically question everything, 
especially majority opinions. The devil’s advocate must take the role seriously and not 
pull any punches, lest this result in the group coming to believe a bad decision has been 
properly scrutinized and then blessed by the advocate. 

8. Take time to discuss potential opposing views and responses 

At times when the efforts of the group may bring them into conflict with outside 
organizations and perceptions (e.g., senior management, Congress, etc.), they should 
take the time to put themselves in the place of their “opposition” and attempt to 
characterize the possible concerns and responses those organizations may have regarding 
the group’s activities. This could be thought of as a “stakeholder” analysis and will serve 
to improve the quality of the decisions made and the group’s execution plans for them. 
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9. Have a “second chance” meeting prior to a final decision 

Prior to making a final decision and taking action, the group should convene to 
hold a meeting where every member of the group is encouraged and allowed, without 
bias or pressure, to express any lingering doubts or concerns with the consensus reached 
previously. 
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200 Janis, I. L., and L. Mann, Decision Making, p. 87, Free Press, New York, 1977. 
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